{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/funky-chunks/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-2332"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["request-smuggling","jetty","cve-2026-2332","funky-chunks"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEclipse Jetty is susceptible to request smuggling attacks (CVE-2026-2332) due to a flaw in its HTTP/1.1 parser. The vulnerability stems from the parser\u0026rsquo;s failure to properly handle chunk extensions within chunked transfer encoding. Specifically, Jetty incorrectly terminates chunk extension parsing at a carriage return and line feed (\\r\\n) sequence inside quoted strings, rather than treating it as an error. This behavior allows attackers to inject arbitrary HTTP requests by crafting malformed chunk extensions, potentially bypassing security controls and gaining unauthorized access to resources. The \u0026ldquo;funky chunks\u0026rdquo; research highlights similar attack vectors, underscoring the severity of this vulnerability. This issue impacts all Jetty users and requires immediate attention from security teams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the targeted Jetty server.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e header to enable chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed chunk extension that includes an unclosed quoted string containing a newline (\u003ccode\u003e\\r\\n\u003c/code\u003e). Example: \u003ccode\u003e1;ext=\u0026quot;val\\r\\nX\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eJetty\u0026rsquo;s HTTP/1.1 parser incorrectly terminates the chunk extension parsing at the newline within the quoted string.\u003c/li\u003e\n\u003cli\u003eThe parser then interprets the subsequent data (e.g., \u003ccode\u003e0\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\n...\u003c/code\u003e) as a new, smuggled HTTP request.\u003c/li\u003e\n\u003cli\u003eJetty processes the smuggled request as if it were a legitimate request from the client.\u003c/li\u003e\n\u003cli\u003eThe smuggled request can be used to access restricted resources, modify data, or perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or control over the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this request smuggling vulnerability (CVE-2026-2332) can lead to severe consequences, including unauthorized access to sensitive data, modification of application functionality, and complete compromise of the web application. The number of potential victims is extensive, as Jetty is a widely used web server and servlet container. Sectors at risk include any organization that uses Jetty, such as finance, healthcare, and e-commerce. The CVSS v3.1 base score for this vulnerability is 7.4, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the official patch or upgrade to a version of Jetty that addresses CVE-2026-2332 as soon as possible.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Jetty Request Smuggling via Malformed Chunk Extensions\u0026rdquo; to identify and alert on exploitation attempts (see rules).\u003c/li\u003e\n\u003cli\u003eInspect web server access logs for unusual patterns in chunked requests, particularly those with long or malformed chunk extensions (see \u0026ldquo;webserver\u0026rdquo; log source).\u003c/li\u003e\n\u003cli\u003eBlock access to the malicious URLs \u003ccode\u003ehttps://w4ke.info/2025/06/18/funky-chunks.html\u003c/code\u003e and \u003ccode\u003ehttps://w4ke.info/2025/10/29/funky-chunks-2.html\u003c/code\u003e at your web proxy or firewall as these are related to the attack techniques (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:16:21Z","date_published":"2026-04-14T12:16:21Z","id":"/briefs/2026-04-jetty-smuggling/","summary":"Eclipse Jetty's HTTP/1.1 parser is vulnerable to request smuggling due to improper handling of chunk extensions, allowing attackers to inject malicious requests.","title":"Eclipse Jetty HTTP/1.1 Request Smuggling via Chunk Extensions (CVE-2026-2332)","url":"https://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/"}],"language":"en","title":"CraftedSignal Threat Feed — Funky-Chunks","version":"https://jsonfeed.org/version/1.1"}