EUVD-2026-22243
GHSA-355h-qmc2-wpwf
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 243 maven packages depend on org.eclipse.jetty:jetty-http (25 direct, 218 indirect)
Ecosystem-wide dependent count for version 12.1.0.
DescriptionNVD
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
- https://w4ke.info/2025/06/18/funky-chunks.html
- https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked
1;ext="val X 0
GET /smuggled HTTP/1.1 ...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
AnalysisAI
HTTP request smuggling in Eclipse Jetty versions 9.4.0-12.1.6 allows remote unauthenticated attackers to inject smuggled requests via malformed chunked transfer encoding. The HTTP/1.1 parser incorrectly terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as a protocol violation, enabling 'funky chunks' smuggling techniques. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running Eclipse Jetty 9.4.x, 10.0.x, 11.0.x, 12.0.x, or 12.1.x versions (scan with 'java -version' and Jetty configuration review); document inventory and prioritize internet-facing deployments. Within 7 days: implement network-level compensating controls (see below) and begin evaluation of Jetty alternatives or upgrade paths to versions beyond 12.1.6 when released. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today