Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: HTTP request smuggling
Action: Immediate Patch
AI Analysis

Impact

Netty, a Java-based network framework, misparses quoted strings in the chunked transfer encoding extension of HTTP/1.1 requests. This parsing flaw permits an attacker to inject specially crafted chunk extensions that are incorrectly interpreted by Netty, resulting in HTTP request smuggling. The smuggled request can bypass normal processing pipelines, potentially enabling the attacker to inject requests, bypass authentication checks, or cause denial‑of‑service conditions. The vulnerability is categorized as CWE‑444 because it involves untrusted input being parsed incorrectly.

Affected Systems

The issue affects all deployments of Netty 4.1 prior to version 4.1.132.Final and Netty 4.2 prior to 4.2.10.Final. Applications using these older versions of the Netty framework are susceptible to the smuggling attack. Updating to at least 4.1.132.Final or 4.2.10.Final removes the vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity. While an EPSS score is not available, the lack of public exploitation and its absence from the KEV catalog suggest that it has not yet been widely used in the wild, but the potential impact remains significant. The attack vector is inferred to be a network-based HTTP request that an attacker can send to any service that parses HTTP traffic with the affected Netty version. The attacker would craft a request that uses the chunked transfer encoding with quoted‑string extensions, leading Netty to misparse the request and allow request smuggling.

Generated by OpenCVE AI on March 27, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty framework to version 4.1.132.Final or later, or 4.2.10.Final or later.
  • Verify that the application is using the updated library.

Generated by OpenCVE AI on March 27, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwqr-wmgm-9rr8 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Title Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:54:15.586Z

Reserved: 2026-03-24T15:10:05.678Z

Link: CVE-2026-33870

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:34.663

Modified: 2026-03-27T20:16:34.663

Link: CVE-2026-33870

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T19:54:15Z

Links: CVE-2026-33870 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:33Z

Weaknesses