Jetty HTTP/1.1 Parser Vulnerable to Request Smuggling via Funky Chunks

The cybersecurity community is buzzing about a newly identified request smuggling vulnerability, CVE-2026-2332, impacting Eclipse Jetty’s HTTP/1.1 parser. According to the National Vulnerability Database, this flaw is strikingly similar to the ‘funky chunks’ techniques that have been making the rounds, allowing attackers to inject smuggled requests.

The core of the issue lies in how Jetty handles chunk extensions. The National Vulnerability Database highlights that instead of treating a \r\n sequence inside quoted strings within chunk extensions as an error, Jetty prematurely terminates parsing. This misinterpretation creates a critical window for an attacker to inject arbitrary HTTP requests, effectively bypassing security controls and potentially leading to a host of nefarious activities. The provided example clearly illustrates how a malformed chunk extension can lead to a smuggled GET request following a POST.

Rated with a CVSS score of 7.4 (HIGH), this vulnerability, categorized under CWE-444 (Improper Handling of Extra Data), poses a significant risk. While specific affected products weren’t detailed by the National Vulnerability Database, the widespread use of Eclipse Jetty means this could have far-reaching implications across various web applications and services.