logo

Database

HTTP request smuggling In jetty9

Description

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description (as reported)

Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.

Background

This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques:

The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values.

Technical Details

RFC 9112 Section 7.1.1 defines chunked transfer encoding:

chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
chunk-ext-val = token / quoted-string

RFC 9110 Section 5.6.4 defines quoted-string:

quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE

A quoted-string continues until the closing DQUOTE, and \r\n sequences are not permitted within the quotes.

Vulnerability

Jetty terminates chunk header parsing at \r\n inside quoted strings instead of treating this as an error.

Expected (RFC compliant):

Chunk: 1;a="value\r\nhere"\r\n
         ^^^^^^^^^^^^^^^^^^ extension value
Body: [1 byte after the real \r\n]

Actual (jetty):

Chunk: 1;a="value
            ^^^^^ terminates here (WRONG)
Body: here"... treated as body/next request

Proof of Concept

#!/usr/bin/env python3
import socket

payload = (
    b"POST / HTTP/1.1\r\n"
    b"Host: localhost\r\n"
    b"Transfer-Encoding: chunked\r\n"
    b"\r\n"...

Result: Server returns 2 HTTP responses from a single TCP connection.

Parsing Breakdown

Parser
Request 1
Request 2

Impact

    Request Smuggling: Attacker injects arbitrary HTTP requests

    Cache Poisoning: Smuggled responses poison shared caches

    Access Control Bypass: Smuggled requests bypass frontend security

    Session Hijacking: Smuggled requests can steal other users' responses

Reproduction

    Start the minimal POC with docker

    Run the poc script provided in same zip

Suggested Fix

Ensure the chunk framing and extensions are parsed exactly as specified in RFC9112. A CRLF inside a quoted-string should be considered a parsing error and not a line terminator.

Patches

No patches yet.

Workarounds

No workarounds yet.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-23322. NVD-2026-23323. OSV-DEBIAN-2026-23324. OSV-2026-23325. GHSA-355h-qmc2-wpwf6. GCVE-2026-23327. SECURITY-TRACKER-CVE-2026-2332

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf2. https://gitlab.eclipse.org/security/cve-assignment/-/issues/893. https://w4ke.info/2025/06/18/funky-chunks.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.