CVE-2026-2332

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 12.1.0 through 12.1.6 Eclipse Jetty versions 12.0.0 through 12.0.32 Eclipse Jetty versions 11.0.0 through 11.0.27 Eclipse Jetty versions 10.0.0 through 10.0.27 Eclipse Jetty versions 9.4.0 through 9.4.59

Description The HTTP/1.1 parser incorrectly handles quoted strings within chunked transfer encoding extension values. Specifically, the parser terminates chunk header parsing when it encounters a carriage return and line feed (CRLF) sequence inside a quoted string instead of treating it as a parsing error. This behavior allows an attacker to inject smuggled HTTP requests, which can lead to cache poisoning, access control bypass, and session hijacking.

Recommendations Update Eclipse Jetty to a version later than 12.1.6. Update Eclipse Jetty to a version later than 12.0.32. Update Eclipse Jetty to a version later than 11.0.27. Update Eclipse Jetty to a version later than 10.0.27. Update Eclipse Jetty to a version later than 9.4.59.