VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 26, 2018· Updated Aug 5, 2024

CVE-2017-7658

CVE-2017-7658

Description

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Eclipse Jetty, due to overly tolerant HTTP header parsing, allows request smuggling when intermediaries disagree on content length, bypassing authorization.

Vulnerability

Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations) contain a request smuggling vulnerability stemming from permissive HTTP header parsing [1][2]. When presented with two Content-Length headers, Jetty ignored the second. When presented with both a Content-Length and a Transfer-Encoding: chunked header, Jetty ignored the Content-Length as permitted by RFC 2616 [1]. This tolerant behavior deviates from the stricter requirements of RFC 7230, which considers such combinations invalid [2].

Exploitation

An attacker can craft an HTTP request with conflicting Content-Length and Transfer-Encoding headers or duplicate Content-Length headers [1]. If the server is deployed behind an intermediary (e.g., a reverse proxy or load balancer) that interprets these headers differently—choosing the shorter content length—the intermediary may forward the entire body (including extra data) to Jetty [1][2]. Jetty then interprets the surplus body content as the start of a new (pipelined) request. No authentication or special network position beyond the ability to send HTTP requests to the intermediary is required. The attacker only needs the intermediary to pass along the conflicting headers unchanged.

Impact

Successful exploitation allows an attacker to inject a fake pipelined request that bypasses any authorization checks enforced by the intermediary [1][2]. The fake request is processed by Jetty as if it came from an already-authorized connection or from the intermediary itself. Impact includes unauthorized access to protected resources, privilege escalation, and potential data disclosure depending on the application behind Jetty [2][3].

Mitigation

Fixed versions are 9.2.25.v20180606, 9.3.24.v20180605, and 9.4.11.v20180605 [2][3]. All users should upgrade immediately. No workarounds are documented if patching is not possible. Archived EOL releases (9.2.x and older) will not receive updates and should be replaced with a supported version [2].

References
  1. NVD - CVE-2017-7658
  2. Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace
  3. CVE-2017-7658 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.eclipse.jetty:jetty-serverMaven
< 9.2.25.v201806069.2.25.v20180606
org.eclipse.jetty:jetty-serverMaven
>= 9.3.0, < 9.3.24.v201806059.3.24.v20180605
org.eclipse.jetty:jetty-serverMaven
>= 9.4.0, < 9.4.11.v201806059.4.11.v20180605

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

27

News mentions

0

No linked articles in our index yet.