Jetty patches HTTP request smuggling via chunk extensions
TL;DR — Jetty’s HTTP/1.1 chunked-transfer parsing can be desynchronized using crafted chunk extensions, enabling HTTP request smuggling when Jetty sits behind a frontend proxy/load balancer.
What happened
Eclipse Jetty is a popular Java web server and HTTP client/server component, commonly deployed behind reverse proxies and L7 load balancers.
CVE-2026-2332 describes a request smuggling issue in Jetty’s HTTP/1.1 parser when chunk extensions are present in Transfer-Encoding: chunked requests. The CVE notes Jetty can incorrectly terminate chunk-extension parsing at a CRLF inside a quoted string (instead of rejecting it as a parsing error). In real deployments where a frontend and backend interpret the same bytes differently, this can enable “desync” behavior where a smuggled request is processed by the backend.
| Item | Source value |
|---|---|
| Vulnerability class | HTTP Request Smuggling |
| CWE | CWE-444 |
| Severity | CVSS v3.1 7.4 (High) |
| CVSS vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Why this matters: request smuggling is an application-layer cross-component parsing failure mode that can bypass frontend controls, poison caches, or cross tenant/user boundaries in shared proxy tiers—especially in “proxy → app server” architectures that are ubiquitous in production.
Who is impacted
- Jetty deployments using the
org.eclipse.jetty:jetty-httpcomponent in the affected ranges below. - Highest-risk environments where Jetty is deployed behind a reverse proxy / load balancer (i.e., anywhere differential parsing between components can occur).
| Jetty line | Affected versions (per advisory/CVE) | Patched versions (per advisory) |
|---|---|---|
| 12.1.x | >= 12.1.0 and <= 12.1.6 | 12.1.7 |
| 12.0.x | >= 12.0.0 and <= 12.0.32 | 12.0.33 |
| 11.0.x | >= 11.0.0 and <= 11.0.27 | 11.0.28 |
| 10.0.x | >= 10.0.0 and <= 10.0.27 | 10.0.28 |
| 9.4.x | >= 9.4.0 and <= 9.4.59 | 9.4.60 |
What to do now
- Follow vendor remediation guidance and apply a Jetty release that includes the fix.
- Jetty’s GitHub Security Advisory for this issue lists the following patched versions:
12.1.7, 12.0.33, 11.0.28, 10.0.28, 9.4.60
- Inventory where Jetty is embedded vs explicitly depended on (application servers, shaded JARs, platform “starter” stacks), and prioritize upgrades for internet-facing services and shared reverse-proxy tiers.
- If you operate a proxy tier in front of Jetty, treat this as a prompt to re-review your end-to-end HTTP/1.1 parsing assumptions (especially around
Transfer-Encoding: chunkedhandling and any “normalize/parse/forward” transformations) and add targeted regression tests for desync behavior in staging. - If compromise/abuse is suspected, review reverse-proxy and application logs for anomalous request framing (chunked bodies with unusual chunk extensions) and investigate for signs of cache poisoning or cross-user response mixups.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.