Main Vulnerability Database Vulnerabilities #VU125866

#VU125866 Inconsistent interpretation of HTTP requests in Jetty - CVE-2026-2332

Published: April 14, 2026

Vulnerability identifier: #VU125866

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-2332

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jetty

Software vendor:
Eclipse

Description

The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in the chunked transfer encoding extension parser when parsing quoted strings in HTTP/1.1 chunked transfer encoding extension values. A remote attacker can send a specially crafted chunked HTTP request to inject arbitrary HTTP requests.

The issue occurs because CRLF sequences inside quoted strings are treated as chunk header terminators instead of parsing errors.

Remediation

Install security update from vendor's website.

External links

https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf

#VU125866 Inconsistent interpretation of HTTP requests in Jetty - CVE-2026-2332

Description

Remediation

External links

Please verify you're human