Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires proxy-backend topology for effective smuggling (AC:H); scope changes as attacker affects other users' sessions (S:C); limited confidentiality and integrity impact align with request smuggling primitives.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Eclipse Grizzly in versions before 5.0.2, cannot properly parse the trailer section in malformed trailer header's line, which can be leveraged to perform HTTP request smuggling.
AnalysisAI
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation is most effective when GlassFish with a vulnerable Grizzly version is deployed behind a reverse proxy or load balancer (e.g., nginx, HAProxy, Apache httpd) that forwards HTTP/1.1 chunked requests - this is the architectural condition implied by the CVSS 4.0 AT:P (Attack Requirements: Present) flag. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N reflects network reachability without authentication, but the AT:P (Attack Requirements: Present) flag depresses the score significantly - effective HTTP request smuggling requires a specific intermediary topology (a proxy or load balancer in the request path that interprets chunked trailers differently from Grizzly). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP/1.1 request with chunked transfer-encoding and a deliberately malformed trailer header line to a reverse proxy fronting a GlassFish server. The proxy treats the entire payload as one request and forwards it, while Grizzly - due to the parser flaw - splits it into two at the malformed trailer boundary. … |
| Remediation | Upgrade Eclipse Grizzly to version 5.0.2 or later, as stated in the CVE description as the fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Glassfish
View allRemote code execution in Eclipse GlassFish allows remote attackers to evaluate arbitrary Expression Language (EL) expres
Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43641
GHSA-c269-4hpf-qfhc