In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
9.2.14-19.2.22-29.2.22-39.2.23-19.4.15-1~18.04.1ubuntu19.4.18-2build29.4.26-19.4.39-39.4.44-29.4.44-39.4.44-49.4.45-19.4.51-29.4.53-19.4.56-19.4.57-1Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:NCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N