Skip to main content

Netty HTTP Codec CVE-2026-42580

MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-07 https://github.com/netty/netty GHSA-m4cv-j2px-7723
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 00:33 vuln.today
Analysis Generated
May 07, 2026 - 00:33 vuln.today
CVE Published
May 07, 2026 - 00:13 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 maven packages depend on io.netty:netty-codec-http (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.Alpha1.

DescriptionGitHub Advisory

Summary

Netty's chunk size parser silently overflows int, enabling request smuggling attacks.

Details

io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int.

The size is accumulated as follows:

result *= 16; result += digit;

The result is checked only for negative values. However, with a carefully crafted chunk size, the result can be a valid size.

PoC

The test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a chunked body.

java
@Test
public void test() {
    String requestStr = "POST / HTTP/1.1\r\n" +
            "Host: localhost\r\n" +
            "Transfer-Encoding: chunked\r\n\r\n" +
            "100000004\r\n" +
            "test\r\n" +
            "0\r\n" +
            "\r\n" +
            "GET /smuggled HTTP/1.1\r\n" +
            "Host: localhost\r\n" +
            "Content-Length: 0\r\n" +
            "\r\n";

    EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
    assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));

    // Request 1
    HttpRequest request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    HttpContent content = channel.readInbound();
    assertTrue(content.decoderResult().isSuccess());
    assertEquals("test", content.content().toString(CharsetUtil.US_ASCII));
    content.release();
    LastHttpContent last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();

    // Request 2
    request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();
}

Impact

HTTP Request Smuggling: Attacker injects arbitrary HTTP requests

AnalysisAI

HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).

Technical ContextAI

Netty is a Java-based asynchronous event-driven network application framework. The vulnerability resides in io.netty.handler.codec.http.HttpObjectDecoder.getChunkSize, which parses HTTP/1.1 chunked transfer encoding chunk size headers (specified in RFC 7230, section 4.1). The parser accumulates a hexadecimal size via iterative multiplication and addition: result = (result * 16) + digit. This operation is performed using Java int (32-bit), which has a maximum value of 2,147,483,647. The code checks only whether the final result is negative (detecting simple signed overflow), but does not validate the magnitude of intermediate or final computations. A carefully constructed chunk size such as '0x100000004' overflows to a small positive integer when interpreted as a 32-bit int, causing the parser to accept a misaligned chunk boundary. This violates RFC 7230 validation requirements and enables request smuggling (CWE-444: Inconsistent Interpretation of HTTP Requests), where the attacker's HTTP client and the target server interpret request boundaries differently.

RemediationAI

Immediately upgrade Netty to patched versions: io.netty:netty-codec-http 4.1.133.Final (for 4.1.x branch) or 4.2.13.Final (for 4.2.x branch). For applications using Netty transitively (e.g., Spring Boot), update the parent or Netty dependency directly via Maven or Gradle to the patched version. Verify the upgrade by checking dependency trees (mvn dependency:tree) and confirming no transitive dependencies downgrade Netty. Testing should include regression tests with both normal and malicious chunk size payloads (e.g., '100000004\r\n') to confirm the parser rejects invalid overflow cases. If immediate patching is not possible, implement network-level mitigations: deploy a reverse proxy (nginx, HAProxy) in front of the Netty application configured to normalize and validate chunk sizes before forwarding, explicitly blocking hex values that would overflow (values > 0x7FFFFFFF in 32-bit int); this adds latency and complexity but prevents request smuggling. Alternatively, disable chunked transfer encoding at the application level if not required (configure HttpObjectDecoder.maxChunkSize and reject Transfer-Encoding: chunked headers via middleware), though this may break legitimate clients using chunked requests. Monitor upstream proxies and load balancers for duplicate or suspiciously timed requests, which indicate smuggling attempts.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-42580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy