CVE-2017-7657
Description
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Eclipse Jetty, a chunk length integer overflow allows request smuggling, potentially bypassing authorization when behind an intermediary.
Vulnerability
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), the transfer-encoding chunk length parsing is vulnerable to an integer overflow [1]. This flaw causes a large chunk size to be misinterpreted as a smaller one, allowing the chunk body to be treated as a pipelined HTTP request [2].
Exploitation
An attacker requires a specific intermediary that imposes authorization but allows arbitrarily large chunks to pass unchanged. By crafting a chunked transfer-encoding message with an oversized chunk length, the attacker can trigger the overflow, resulting in a pipelined request that the intermediary does not recognize as a request, thus bypassing its authorization [1][2].
Impact
Successful exploitation could allow HTTP request smuggling, leading to authorization bypass and potential access to restricted resources. The impact can be significant as the intermediary's security controls are circumvented [2].
Mitigation
Fixed versions are available: 9.2.25.v20180606, 9.3.24.v20180605, and 9.4.11.v20180605 [2][4]. For 9.4.x, disabling RFC2616 compliance (non-default) also mitigates the issue. Users should upgrade to the latest patched version or apply the configuration change [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | < 9.2.25.v20180606 | 9.2.25.v20180606 |
org.eclipse.jetty:jetty-serverMaven | >= 9.3.0, < 9.3.24.v20180605 | 9.3.24.v20180605 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- access.redhat.com/errata/RHSA-2019:0910ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-vgg8-72f2-qm23ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7657ghsaADVISORY
- www.debian.org/security/2018/dsa-4278ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securitytracker.com/id/1041194ghsavdb-entryx_refsource_SECTRACKWEB
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20181014-0001ghsaWEB
- security.netapp.com/advisory/ntap-20181014-0001/mitrex_refsource_CONFIRM
- support.hpe.com/hpsc/doc/public/displayghsax_refsource_CONFIRMWEB
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.