https://feed.craftedsignal.io/tags/cve-2026-2332/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.Jetty versions 9.4.0 through 12.1.6 are vulnerable to HTTP request smuggling due to incorrect parsing of quoted strings in HTTP/1.1 chunked transfer encoding extensions. This flaw stems from Jetty’s premature termination of chunk header parsing upon encountering a carriage return and line feed (CRLF) sequence within a quoted string, violating RFC 9112 specifications. An attacker can exploit this vulnerability to inject malicious HTTP requests into the application’s request stream, potentially bypassing security controls, poisoning caches, and even hijacking user sessions. This issue, identified as CVE-2026-2332, poses a significant risk to applications using affected Jetty versions. The vulnerability was discovered during research into “Funky Chunks” HTTP request smuggling techniques and highlights the importance of rigorous adherence to RFC specifications in HTTP server implementations.

Attack Chain

1. The attacker sends a crafted HTTP POST request with chunked transfer encoding to a vulnerable Jetty server.
2. The chunk header includes a quoted string within the chunk extension, containing a CRLF sequence. For example: Chunk: 1;a="\r\n.
3. Jetty incorrectly parses the chunk header, terminating parsing at the CRLF within the quoted string.
4. The remaining portion of the intended chunk extension and subsequent data are interpreted as the beginning of a new HTTP request.
5. The attacker injects a malicious HTTP GET request intended to be smuggled, such as GET /smuggled HTTP/1.1.
6. The smuggled request is processed by the server, potentially bypassing frontend security checks.
7. The server responds to the smuggled request.
8. The attacker may use the smuggled request to poison the cache, bypass access controls, or potentially hijack user sessions by intercepting sensitive data in the smuggled response.

Impact

Successful exploitation of this vulnerability allows attackers to inject arbitrary HTTP requests into the application’s request stream. This can lead to several severe consequences, including: cache poisoning, where malicious content is served to legitimate users; access control bypass, enabling unauthorized access to sensitive resources; and session hijacking, allowing attackers to impersonate other users. The vulnerability impacts Jetty versions 9.4.0 through 12.1.6. The number of affected installations is currently unknown. The primary target is any web application utilizing a vulnerable version of Jetty.

Recommendation

• Upgrade to a patched version of Jetty that addresses CVE-2026-2332.
• Deploy the Sigma rule Detect Jetty HTTP Request Smuggling to your SIEM and tune for your environment to detect exploitation attempts.
• Inspect web server logs for malformed chunk headers containing CRLF sequences within quoted strings, as this indicates a potential exploitation attempt.

]]>highadvisoryrequest-smugglingjettyCVE-2026-2332webserverhttps://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/Tue, 14 Apr 2026 12:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/Eclipse Jetty's HTTP/1.1 parser is vulnerable to request smuggling due to improper handling of chunk extensions, allowing attackers to inject malicious requests.Eclipse Jetty is susceptible to request smuggling attacks (CVE-2026-2332) due to a flaw in its HTTP/1.1 parser. The vulnerability stems from the parser’s failure to properly handle chunk extensions within chunked transfer encoding. Specifically, Jetty incorrectly terminates chunk extension parsing at a carriage return and line feed (\r\n) sequence inside quoted strings, rather than treating it as an error. This behavior allows attackers to inject arbitrary HTTP requests by crafting malformed chunk extensions, potentially bypassing security controls and gaining unauthorized access to resources. The “funky chunks” research highlights similar attack vectors, underscoring the severity of this vulnerability. This issue impacts all Jetty users and requires immediate attention from security teams.

Attack Chain

1. Attacker sends an HTTP POST request to the targeted Jetty server.
2. The request includes the Transfer-Encoding: chunked header to enable chunked transfer encoding.
3. The attacker crafts a malformed chunk extension that includes an unclosed quoted string containing a newline (\r\n). Example: 1;ext="val\r\nX.
4. Jetty’s HTTP/1.1 parser incorrectly terminates the chunk extension parsing at the newline within the quoted string.
5. The parser then interprets the subsequent data (e.g., 0\r\n\r\nGET /smuggled HTTP/1.1\r\n...) as a new, smuggled HTTP request.
6. Jetty processes the smuggled request as if it were a legitimate request from the client.
7. The smuggled request can be used to access restricted resources, modify data, or perform other malicious actions.
8. The attacker gains unauthorized access or control over the application.

Impact

Successful exploitation of this request smuggling vulnerability (CVE-2026-2332) can lead to severe consequences, including unauthorized access to sensitive data, modification of application functionality, and complete compromise of the web application. The number of potential victims is extensive, as Jetty is a widely used web server and servlet container. Sectors at risk include any organization that uses Jetty, such as finance, healthcare, and e-commerce. The CVSS v3.1 base score for this vulnerability is 7.4, indicating a high level of severity.

Recommendation

• Apply the official patch or upgrade to a version of Jetty that addresses CVE-2026-2332 as soon as possible.
• Deploy the Sigma rule “Detect Jetty Request Smuggling via Malformed Chunk Extensions” to identify and alert on exploitation attempts (see rules).
• Inspect web server access logs for unusual patterns in chunked requests, particularly those with long or malformed chunk extensions (see “webserver” log source).
• Block access to the malicious URLs https://w4ke.info/2025/06/18/funky-chunks.html and https://w4ke.info/2025/10/29/funky-chunks-2.html at your web proxy or firewall as these are related to the attack techniques (see IOCs).

]]>highadvisoryrequest-smugglingjettycve-2026-2332funky-chunks