CVE-2026-2332: CVE-2026-2332: HTTP Request Smuggling in Eclipse Jetty via Chunked Extension Quoted-String Parsing

CVE-2026-2332: HTTP Request Smuggling in Eclipse Jetty via Chunked Extension Quoted-String Parsing

Vulnerability ID: CVE-2026-2332
CVSS Score: 7.4
Published: 2026-04-14

Eclipse Jetty's HTTP/1.1 parser contains a state-machine flaw when handling chunked transfer encoding extensions, leading to critical HTTP Request Smuggling via "Funky Chunks" techniques.

TL;DR

Jetty incorrectly terminates HTTP/1.1 chunk extension parsing when encountering a newline inside a quoted string, allowing attackers to desynchronize proxies and back-ends to smuggle malicious requests.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-444
• Attack Vector: Network
• CVSS v3.1 Score: 7.4 (High)
• EPSS Score: 0.00031
• Impact: High Confidentiality, High Integrity
• Exploit Status: Proof-of-Concept (PoC)
• KEV Status: Not Listed

Affected Systems

• Eclipse Jetty 9.4.0 - 9.4.59
• Eclipse Jetty 10.0.0 - 10.0.27
• Eclipse Jetty 11.0.0 - 11.0.27
• Eclipse Jetty 12.0.0 - 12.0.32
• Eclipse Jetty 12.1.0 - 12.1.6
• Web applications utilizing vulnerable Jetty versions behind a reverse proxy
• Eclipse Jetty: 9.4.0 <= version <= 9.4.59 (Fixed in: 9.4.60)
• Eclipse Jetty: 10.0.0 <= version <= 10.0.27 (Fixed in: 10.0.28)
• Eclipse Jetty: 11.0.0 <= version <= 11.0.27 (Fixed in: 11.0.28)
• Eclipse Jetty: 12.0.0 <= version <= 12.0.32 (Fixed in: 12.0.33)
• Eclipse Jetty: 12.1.0 <= version <= 12.1.6 (Fixed in: 12.1.7)

Code Analysis

Commit: 91435de

Fix chunk extension parsing logic to reject embedded newlines in quoted strings

Exploit Details

• smugchunks: Scanner and testing toolkit for identifying Funky Chunks vulnerabilities

Mitigation Strategies

• Upgrade Eclipse Jetty to the latest patched versions
• Configure front-end proxies to normalize chunked requests and strip chunk extensions
• Disable HTTP/1.1 keep-alive between proxy and back-end (as a last resort)
• Deploy strict WAF rules validating quoted-string constraints in chunk extensions

Remediation Steps:

1. Audit environment to identify all instances of Eclipse Jetty versions 9.4.x through 12.1.6.
2. Apply vendor patches to upgrade to versions 9.4.60, 10.0.28, 11.0.28, 12.0.33, or 12.1.7.
3. Modify load balancer or reverse proxy configurations to strip or normalize HTTP chunk extensions before forwarding requests.
4. Validate the mitigation by testing the infrastructure with the open-source 'smugchunks' scanner.

References

• Jetty Security Advisory
• Eclipse CVE Assignment
• Funky Chunks Research Part 1
• Funky Chunks Research Part 2
• CVE Record CVE-2026-2332
• Jetty Project Commit 91435debf6bb5b2701e96f2202962ea262d38236

---

Read the full report for CVE-2026-2332 on our website for more details including interactive diagrams and full exploit analysis.