[jira] [Created] (TIKA-4757) [SECURITY] CVE-2026-2332: HTTP request smuggling via Jetty jetty-http

Srinivasarao Daruna (Jira) Mon, 15 Jun 2026 19:30:06 -0700

Srinivasarao Daruna created TIKA-4757:
-----------------------------------------


             Summary: [SECURITY] CVE-2026-2332: HTTP request smuggling via 
Jetty jetty-http
                 Key: TIKA-4757
                 URL: https://issues.apache.org/jira/browse/TIKA-4757
             Project: Tika
          Issue Type: Bug
            Reporter: Srinivasarao Daruna


CVE-2026-2332 (CVSS 9.1 Critical) is an HTTP/1.1 request smuggling
vulnerability in Jetty's HTTP/1.1 chunk-extension parser. The parser
terminates chunk-extension parsing at \r\n inside quoted strings
instead of treating this as an error, allowing unauthenticated remote
attackers to smuggle HTTP requests and compromise confidentiality and
integrity (CWE-444).

Affected versions: Jetty 11.0.0–11.0.27
Apache Tika currently uses: 11.0.26 (vulnerable)
Fixed in: 11.0.28 (and 12.0.33 / 12.1.7 in newer lines)

Jetty 11.x is EOL (Nov 2024). The immediate fix is to upgrade
jetty.version to 11.0.28. Long-term, migration to Jetty 12.1.x
is required, which depends on:
  1. Java version upgrade
  2. Resolving Http2SolrClient (SolrJ 9.10.0) compatibility with
     the Jetty 12 API (InputStreamResponseListener moved from
     org.eclipse.jetty.client.util to org.eclipse.jetty.client)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (TIKA-4757) [SECURITY] CVE-2026-2332: HTTP request smuggling via Jetty jetty-http

Reply via email to