Critical CVE-2026-2332 in Jetty Version 9.4.58.v20250814

[MariusDienel]

Hey everyone,
we are using Apache Karaf and have noticed in our Dependency Check that there is a Critical CVE in the Jetty Version 9.4.58.v20250814 that is used in Karaf. Are there any plans to upgrade to a newer Version soon or is the implementation just not affected by this CVE?

Thank you in advance and best regards
Marius

[AndreVirtimo]

Jetty 9.4 has reached its End of Life (EOL). A pax-web update with Jetty 12 support is planned for Karaf 4.5.x. A release vote is scheduled for the end of June.

[grgrzybek]

Hello Thanks for inspiration to read more about request smuggling at: - https://github.com/advisories/GHSA-355h-qmc2-wpwf - https://w4ke.info/2025/06/18/funky-chunks.html The latter mentions that Jetty is vulnerable when sitting behind "Imperva CDN" proxy. I'm not saying every Karaf with Jetty is vulnerable and I'm not a security expert, but I wouldn't say this is a critical vulnerability. First - as far as I understand it requires reverse proxy setup. And the attack (again - if I understand correctly) assumes that it's proxy's responsibility to reject proverbial unauthenticated "/admin" requests, while keeping the backed server accepting all requests. Normally you have full protection at the server side. However I don't fully understand how the proxy may interleave smuggled requests and responses for other requests. But long story short - Jetty 9 is no longer maintained upstream and if you fear about request smuggling, just switch from pax-web-jetty feature to pax-web-tomcat or pax-web-undertow feature. With Pax Web 8 I put a lot of energy and time to ensure interoperability at OSGi CMPN specification level. kind regards Grzegorz Grzybek śr., 3 cze 2026 o 16:19 Andre Schlegel-Tylla ***@***.***> napisał(a):

…

*AndreVirtimo* left a comment (apache/karaf#2691) <#2691 (comment)> Jetty 9.4 has reached its End of Life (EOL). A pax-web update with Jetty 12 support is planned for Karaf 4.5.x. A release vote is scheduled for the end of June. — Reply to this email directly, view it on GitHub <#2691?email_source=notifications&email_token=AACK3BPJVG6WDFALVNKXHUT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4613301115>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACK3BJDT4VMXA34G44QORT46AXVZAVCNFSM6AAAAACZWXKYHSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DMMJTGMYDCMJRGU> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/AACK3BM2ISK4OZPACIMYCTT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSVGM33PORSXEX3JN5ZQ> and Android <https://github.com/notifications/mobile/android/AACK3BKQQRLA23MDH2GCIVT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSXGM33PORSXEX3BNZSHE33JMQ>. Download it today! You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jbonofre]

And, also Karaf 4.5.x already upgraded Pax Web/Jetty. Also the Karaf services will be on the latest version.