https://feed.craftedsignal.io/tags/request-smuggling/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.Jetty versions 9.4.0 through 12.1.6 are vulnerable to HTTP request smuggling due to incorrect parsing of quoted strings in HTTP/1.1 chunked transfer encoding extensions. This flaw stems from Jetty’s premature termination of chunk header parsing upon encountering a carriage return and line feed (CRLF) sequence within a quoted string, violating RFC 9112 specifications. An attacker can exploit this vulnerability to inject malicious HTTP requests into the application’s request stream, potentially bypassing security controls, poisoning caches, and even hijacking user sessions. This issue, identified as CVE-2026-2332, poses a significant risk to applications using affected Jetty versions. The vulnerability was discovered during research into “Funky Chunks” HTTP request smuggling techniques and highlights the importance of rigorous adherence to RFC specifications in HTTP server implementations.

Attack Chain

1. The attacker sends a crafted HTTP POST request with chunked transfer encoding to a vulnerable Jetty server.
2. The chunk header includes a quoted string within the chunk extension, containing a CRLF sequence. For example: Chunk: 1;a="\r\n.
3. Jetty incorrectly parses the chunk header, terminating parsing at the CRLF within the quoted string.
4. The remaining portion of the intended chunk extension and subsequent data are interpreted as the beginning of a new HTTP request.
5. The attacker injects a malicious HTTP GET request intended to be smuggled, such as GET /smuggled HTTP/1.1.
6. The smuggled request is processed by the server, potentially bypassing frontend security checks.
7. The server responds to the smuggled request.
8. The attacker may use the smuggled request to poison the cache, bypass access controls, or potentially hijack user sessions by intercepting sensitive data in the smuggled response.

Impact

Successful exploitation of this vulnerability allows attackers to inject arbitrary HTTP requests into the application’s request stream. This can lead to several severe consequences, including: cache poisoning, where malicious content is served to legitimate users; access control bypass, enabling unauthorized access to sensitive resources; and session hijacking, allowing attackers to impersonate other users. The vulnerability impacts Jetty versions 9.4.0 through 12.1.6. The number of affected installations is currently unknown. The primary target is any web application utilizing a vulnerable version of Jetty.

Recommendation

• Upgrade to a patched version of Jetty that addresses CVE-2026-2332.
• Deploy the Sigma rule Detect Jetty HTTP Request Smuggling to your SIEM and tune for your environment to detect exploitation attempts.
• Inspect web server logs for malformed chunk headers containing CRLF sequences within quoted strings, as this indicates a potential exploitation attempt.

]]>highadvisoryrequest-smugglingjettyCVE-2026-2332webserverhttps://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/Tue, 14 Apr 2026 12:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/Eclipse Jetty's HTTP/1.1 parser is vulnerable to request smuggling due to improper handling of chunk extensions, allowing attackers to inject malicious requests.Eclipse Jetty is susceptible to request smuggling attacks (CVE-2026-2332) due to a flaw in its HTTP/1.1 parser. The vulnerability stems from the parser’s failure to properly handle chunk extensions within chunked transfer encoding. Specifically, Jetty incorrectly terminates chunk extension parsing at a carriage return and line feed (\r\n) sequence inside quoted strings, rather than treating it as an error. This behavior allows attackers to inject arbitrary HTTP requests by crafting malformed chunk extensions, potentially bypassing security controls and gaining unauthorized access to resources. The “funky chunks” research highlights similar attack vectors, underscoring the severity of this vulnerability. This issue impacts all Jetty users and requires immediate attention from security teams.

Attack Chain

1. Attacker sends an HTTP POST request to the targeted Jetty server.
2. The request includes the Transfer-Encoding: chunked header to enable chunked transfer encoding.
3. The attacker crafts a malformed chunk extension that includes an unclosed quoted string containing a newline (\r\n). Example: 1;ext="val\r\nX.
4. Jetty’s HTTP/1.1 parser incorrectly terminates the chunk extension parsing at the newline within the quoted string.
5. The parser then interprets the subsequent data (e.g., 0\r\n\r\nGET /smuggled HTTP/1.1\r\n...) as a new, smuggled HTTP request.
6. Jetty processes the smuggled request as if it were a legitimate request from the client.
7. The smuggled request can be used to access restricted resources, modify data, or perform other malicious actions.
8. The attacker gains unauthorized access or control over the application.

Impact

Successful exploitation of this request smuggling vulnerability (CVE-2026-2332) can lead to severe consequences, including unauthorized access to sensitive data, modification of application functionality, and complete compromise of the web application. The number of potential victims is extensive, as Jetty is a widely used web server and servlet container. Sectors at risk include any organization that uses Jetty, such as finance, healthcare, and e-commerce. The CVSS v3.1 base score for this vulnerability is 7.4, indicating a high level of severity.

Recommendation

• Apply the official patch or upgrade to a version of Jetty that addresses CVE-2026-2332 as soon as possible.
• Deploy the Sigma rule “Detect Jetty Request Smuggling via Malformed Chunk Extensions” to identify and alert on exploitation attempts (see rules).
• Inspect web server access logs for unusual patterns in chunked requests, particularly those with long or malformed chunk extensions (see “webserver” log source).
• Block access to the malicious URLs https://w4ke.info/2025/06/18/funky-chunks.html and https://w4ke.info/2025/10/29/funky-chunks-2.html at your web proxy or firewall as these are related to the attack techniques (see IOCs).

]]>highadvisoryrequest-smugglingjettycve-2026-2332funky-chunkshttps://feed.craftedsignal.io/briefs/2026-04-apache-traffic-server-dos/Tue, 07 Apr 2026 11:24:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-apache-traffic-server-dos/A remote attacker can exploit multiple vulnerabilities in Apache Traffic Server to conduct a denial of service or request smuggling attack.Multiple vulnerabilities exist within Apache Traffic Server that could allow a remote attacker to conduct denial-of-service (DoS) or request smuggling attacks. While specific CVEs aren’t provided in the advisory, the potential impact on service availability and data integrity is significant. Apache Traffic Server is a high-performance caching proxy server. Successful exploitation of these vulnerabilities can disrupt or completely halt services relying on the Traffic Server, leading to financial losses, reputational damage, and operational disruption. Defenders should prioritize identifying and mitigating potential exploitation attempts targeting their Traffic Server instances. The broad nature of the advisory necessitates a proactive approach to monitoring and detection.

Attack Chain

1. The attacker identifies a vulnerable Apache Traffic Server instance accessible over the network.
2. The attacker crafts malicious HTTP requests designed to exploit the identified vulnerabilities (e.g., by triggering excessive resource consumption).
3. The attacker sends the crafted requests to the Traffic Server, potentially exploiting parsing flaws.
4. The Traffic Server processes the malicious requests, leading to resource exhaustion (CPU, memory).
5. As resources become depleted, the Traffic Server’s performance degrades significantly.
6. Legitimate user requests are delayed or dropped due to the server’s overload.
7. The Traffic Server eventually becomes unresponsive, resulting in a denial-of-service condition.
8. Alternatively, the attacker crafts requests that exploit request smuggling vulnerabilities to potentially bypass security controls or poison the cache.

Impact

Successful exploitation of these vulnerabilities can lead to a complete denial-of-service condition, rendering web services unavailable. This can result in significant financial losses, reputational damage, and disruption to business operations. The impact is amplified for organizations heavily reliant on their web infrastructure, where even brief outages can have severe consequences. The advisory lacks specific victim numbers, but the risk extends to any organization utilizing a vulnerable version of Apache Traffic Server. The request smuggling vulnerability may also lead to cache poisoning, impacting downstream clients.

Recommendation

• Monitor web server logs for unusual patterns indicative of request smuggling or denial of service attempts, using the provided Sigma rules for guidance (logsource: webserver).
• Investigate and analyze any spikes in resource consumption (CPU, memory, network) on servers running Apache Traffic Server to identify potential DoS attacks.
• Implement rate limiting and traffic shaping to mitigate the impact of potential denial of service attacks, based on the recommendations for webserver configurations.
• Continuously monitor for new advisories and security patches related to Apache Traffic Server, and apply updates promptly.

]]>highadvisoryapachetraffic serverdenial of servicerequest smugglinghttps://feed.craftedsignal.io/briefs/2026-03-undertow-request-smuggling/Sat, 28 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-undertow-request-smuggling/CVE-2026-28368 is a vulnerability in Undertow that allows a remote attacker to construct specially crafted requests, leading to request smuggling attacks and potential bypass of security controls, resulting in unauthorized resource access.<p>CVE-2026-28368 is a critical vulnerability found in the Undertow web server. This flaw enables a remote attacker to craft specialized HTTP requests that Undertow parses differently compared to upstream proxies. This discrepancy allows attackers to conduct request smuggling attacks, effectively bypassing security measures and potentially gaining unauthorized access to sensitive resources. The vulnerability stems from inconsistent interpretation of HTTP requests, which is a common issue in web…</p> highadvisoryundertowrequest-smugglingcve-2026-28368https://feed.craftedsignal.io/briefs/2026-03-undertow-smuggling/Fri, 27 Mar 2026 17:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-undertow-smuggling/A remote attacker can exploit CVE-2026-28367 in Undertow by sending '\r\r\r' as a header block terminator, leading to request smuggling on vulnerable proxy servers.<p>CVE-2026-28367 is a request smuggling vulnerability found in Undertow, a flexible performant server-side Java web server. The vulnerability arises from improper handling of HTTP header block terminators. Specifically, a remote attacker can send <code>\r\r\r</code> as a header block terminator, which can be misinterpreted by certain proxy servers. This allows the attacker to potentially smuggle malicious requests, bypassing security controls and gaining unauthorized access to resources or manipulating…</p> highadvisorycverequest-smugglingundertowwebserverhttps://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Thu, 26 Mar 2026 18:51:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \r\n inside quoted strings instead of rejecting the malformed request.A vulnerability exists in Netty’s HTTP/1.1 chunked transfer encoding extension parsing, specifically in how it handles quoted strings. This flaw, discovered during research into “Funky Chunks” HTTP request smuggling techniques, stems from Netty terminating chunk header parsing at \r\n inside quoted strings, instead of rejecting the request as malformed. This behavior deviates from RFC 9110, which mandates that CR (%x0D) and LF (%x0A) bytes are not permitted inside chunk extensions. This parsing differential allows attackers to smuggle HTTP requests. Versions affected include netty-codec-http < 4.1.132.Final and netty-codec-http versions >= 4.2.0.Alpha1 and < 4.2.10.Final. This matters for defenders because successful exploitation can lead to severe consequences, including cache poisoning and session hijacking.

Attack Chain

1. The attacker sends a crafted HTTP request with chunked transfer encoding.
2. The request includes a chunk extension containing a quoted string with embedded \r\n characters. For example: 1;a="\r\n.
3. Netty’s HTTP parser incorrectly terminates the chunk header parsing at the embedded \r\n.
4. The remaining portion of the intended chunk extension and the subsequent chunk data are interpreted as the beginning of a new HTTP request.
5. The attacker injects a smuggled HTTP request, such as GET /smuggled HTTP/1.1.
6. The vulnerable server processes both the initial and smuggled requests on the same connection.
7. The smuggled request is executed, potentially bypassing security controls or accessing sensitive data.
8. The server returns responses for both requests, potentially leading to cache poisoning or other malicious outcomes.

Impact

Successful exploitation of this vulnerability can lead to request smuggling, allowing attackers to inject arbitrary HTTP requests into a connection. This can result in cache poisoning, where smuggled responses may poison shared caches. Additionally, access control bypasses can occur, where smuggled requests circumvent frontend security controls. Session hijacking is also possible, where smuggled requests may intercept responses intended for other users. The impact is significant as it can compromise the confidentiality, integrity, and availability of web applications and services using vulnerable Netty versions.

Recommendation

• Upgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to remediate CVE-2026-33870.
• Deploy the Sigma rule “Detect Netty Chunked Transfer Encoding Request Smuggling” to identify potentially malicious requests exploiting this vulnerability.
• Inspect web server logs for HTTP requests with chunked transfer encoding and chunk extensions containing quoted strings with embedded carriage returns and line feeds (\r\n) to identify exploitation attempts.
• Monitor network traffic for connections to 127.0.0.1 on port 8080 which is used in the proof of concept for request smuggling.

]]>highadvisorynettyrequest-smugglinghttp