Threat Advisory

Jetty HTTP Vulnerability Exposes Request Smuggling

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-2332 with a CVSS score of 7.4 is a vulnerability in the HTTP parser of the Eclipse Jetty framework. Specifically, the affected versions of Jetty (12.1.0 through 12.1.6, 12.0.0 through 12.0.32, 11.0.0 through 11.0.27, 10.0.0 through 10.0.27, and 9.4.0 through 9.4.59) incorrectly parse quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. An attacker can exploit this vulnerability by sending a specially crafted HTTP request, requiring no privileges or user interaction, and gaining the ability to inject arbitrary HTTP requests. If exploited, this vulnerability could lead to request smuggling, cache poisoning, access control bypass, and session hijacking, resulting in significant business impact and consequences. The vulnerability can be exploited over a network and requires no specific prerequisites or conditions beyond the affected Jetty version.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-2332 with a CVSS score of 7.4 is a vulnerability in the HTTP parser of the Eclipse Jetty framework. Specifically, the affected versions of Jetty (12.1.0 through 12.1.6, 12.0.0 through 12.0.32, 11.0.0 through 11.0.27, 10.0.0 through 10.0.27, and 9.4.0 through 9.4.59) incorrectly parse quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. An attacker can exploit this vulnerability by sending a specially crafted HTTP request, requiring no privileges or user interaction, and gaining the ability to inject arbitrary HTTP requests. If exploited, this vulnerability could lead to request smuggling, cache poisoning, access control bypass, and session hijacking, resulting in significant business impact and consequences. The vulnerability can be exploited over a network and requires no specific prerequisites or conditions beyond the affected Jetty version.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update jetty-http to the following versions: 1.7 0.33 0.28 0.28 4.60

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-355h-qmc2-wpwf

[/emaillocker]
crossmenu