HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Affected Products

Vendor	Product	Versions
eclipse foundation	eclipse jetty	12.1.0, 12.0.0, 11.0.0, 10.0.0, 9.4.0

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf(third-party-advisory)
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89(issue-tracking)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-2332 | Eclipse Jetty up to 9.4.59/10.0.27/11.0.27/12.0.32/12.1.6 Double Quote request smuggling

→ No new info (linked only)

CVSS 3.17.4 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-444

PublishedApr 14, 2026

Last enriched4h agov2

Trending Score40

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 12.1.6, 12.0.32, 11.0.27, 10.0.27, and 9.4.59, and provided a new description detailing the vulnerability as CVE-2026-2332.

affectedVersionsdescription

via VulDB

v15h ago

Initial creation