CVE-2023-40167
HTTP Request Smuggling vulnerability in jetty-http (Maven)

HTTP Request Smuggling Proof of concept

What is CVE-2023-40167 About?

This vulnerability affects Jetty's HTTP/1 parser, which incorrectly accepts a '+' character preceding the `Content-Length` header value. This non-compliant behavior could lead to HTTP request smuggling when Jetty is used in conjunction with other servers that reject such malformed requests. While no known exploit exists, the potential impact is significant, and the underlying issue is a parsing inconsistency.

Affected Software

  • org.eclipse.jetty:jetty-http
    • >9.0.0, <9.4.52
    • >11.0.0, <11.0.16
    • >10.0.0, <10.0.16
    • >12.0.0, <12.0.1

Technical Details

The vulnerability lies in Jetty's HTTP/1 parser, which deviates from RFC 9110 Section 8.6 by permitting a '+' character before the numeric value of the Content-Length header. Standard HTTP servers and parsers (e.g., NGINX, Apache HTTPd) will reject requests with Content-Length: +<value> as malformed with a 400 Bad Request. However, Jetty successfully parses and processes such requests. This discrepancy creates a potential for HTTP request smuggling in deployments where Jetty acts as a backend server behind a different frontend proxy or load balancer. An attacker could send a crafted request (e.g., Content-Length: +16) that is interpreted differently by the frontend (which might reject it or treat it as zero-length) and the backend Jetty server (which accepts it). This out-of-sync parsing allows an attacker to prefix or append additional malicious requests into the connection stream, potentially bypassing WAFs, IDS, or accessing internal resources not intended for public exposure. The payload provided shows a POST request with Content-Length: +16 that Jetty accepts while others reject, indicating the parsing inconsistency.

What is the Impact of CVE-2023-40167?

Successful exploitation may allow attackers to bypass security mechanisms, access internal resources, or compromise other users' sessions through HTTP request smuggling.

What is the Exploitability of CVE-2023-40167?

Exploitation complexity is moderate, requiring an understanding of HTTP request smuggling techniques and the specific parsing differences between Jetty and a co-located frontend server (e.g., proxy/load balancer). The primary prerequisite is a specific architectural setup where Jetty is deployed behind another HTTP server that strictly adheres to RFCs regarding Content-Length header formatting. This is a remote exploitation scenario. No authentication or specific privileges are required to send the initial malformed request to the frontend. The likelihood of a successful exploit depends heavily on the presence and configuration of a vulnerable server combination, as well as the frontend server's behavior upon receiving such a malformed header (e.g., whether it closes the connection or forwards it in a way that enables smuggling).

What are the Known Public Exploits?

PoC Author Link Commentary
uthrasri Link PoC for CVE-2023-40167

What are the Available Fixes for CVE-2023-40167?

Available Upgrade Options

  • org.eclipse.jetty:jetty-http
    • >9.0.0, <9.4.52 → Upgrade to 9.4.52
  • org.eclipse.jetty:jetty-http
    • >10.0.0, <10.0.16 → Upgrade to 10.0.16
  • org.eclipse.jetty:jetty-http
    • >11.0.0, <11.0.16 → Upgrade to 11.0.16
  • org.eclipse.jetty:jetty-http
    • >12.0.0, <12.0.1 → Upgrade to 12.0.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-40167?

Similar Vulnerabilities: CVE-2023-28155 , CVE-2022-41881 , CVE-2021-44228 , CVE-2020-13936 , CVE-2019-15599

All Rights reserved 2025
Privacy Policy