CVE-2026-2332: Eclipse Jetty HTTP Parser Vulnerable to Request Smuggling via 'Funky Chunks'

A critical vulnerability in the Eclipse Jetty HTTP/1.1 parser enables request smuggling attacks, allowing attackers to bypass security controls and potentially poison web caches or hijack user sessions. The flaw, designated CVE-2026-2332, stems from improper handling of chunk extensions. Specifically, the parser incorrectly terminates its parsing at a carriage return and line feed (`\r\n`) sequence *inside* a quoted string within a chunk extension, rather than rejecting the malformed request as an error. This behavior mirrors the 'funky chunks' technique documented in recent security research.

The vulnerability allows a crafted HTTP request to smuggle a second, hidden request within the body of the first. A proof-of-concept demonstrates the attack: a POST request with a `Transfer-Encoding: chunked` header contains a chunk extension where the closing double quote is omitted. The parser's premature termination at the embedded newline allows the subsequent data—in this case, a `GET /smuggled` request—to be interpreted as a separate, smuggled HTTP request by a downstream system. This creates a request/response desynchronization between the front-end proxy or load balancer and the Jetty backend server.

This type of vulnerability poses a significant risk to any system using a vulnerable version of the `org.eclipse.jetty:jetty-http` library (specifically version 9.4.58.v20250814 is cited). Successful exploitation could lead to cache poisoning, credential hijacking, or other web-based attacks that rely on request confusion. The issue is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests). Organizations and developers must immediately review their Jetty deployments and apply the necessary patches or mitigations to prevent exploitation.