Skip to main content

Netty CVE-2019-16869

HIGH
HTTP Request/Response Smuggling (CWE-444)
2019-09-26 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 26, 2019 - 16:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on io.netty:netty (4 direct, 0 indirect)
  • 10 maven packages depend on io.netty:netty-all (2 direct, 8 indirect)
  • 28 maven packages depend on org.jboss.netty:netty (13 direct, 15 indirect)

Ecosystem-wide dependent count for version 3.3.0.Final and other introduced versions.

DescriptionNVD

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

AnalysisAI

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Affected products include: Netty, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Jboss Enterprise Application Platform. Version information: before 4.1.42..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.

More in Netty

View all
CVE-2025-24970 HIGH POC
7.5 Feb 10

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final

CVE-2026-48748 HIGH POC
7.5 Jun 12

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una

CVE-2026-50011 HIGH POC
7.5 Jun 12

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot

CVE-2022-41881 HIGH POC
7.5 Dec 12

Netty project is an event-driven asynchronous network application framework. Rated high severity (CVSS 7.5), this vulner

CVE-2020-7238 HIGH POC
7.5 Jan 27

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Tr

CVE-2025-58057 MEDIUM POC
6.9 Sep 04

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2023-34462 MEDIUM POC
6.5 Jun 22

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2022-41915 MEDIUM POC
6.5 Dec 13

Netty project is an event-driven asynchronous network application framework. Rated medium severity (CVSS 6.5), this vuln

CVE-2024-47535 MEDIUM POC
5.5 Nov 12

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2022-24823 MEDIUM POC
5.5 May 06

Netty is an open-source, asynchronous event-driven network application framework. Rated medium severity (CVSS 5.5), this

CVE-2021-21290 MEDIUM POC
5.5 Feb 08

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable h

CVE-2024-29025 MEDIUM POC
5.3 Mar 25

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

Share

CVE-2019-16869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy