Netty versions prior to 4.1.132.Final and 4.2.10.Final parse quoted strings in HTTP/1.1 chunked transfer encoding extensions incorrectly, allowing attackers to smuggle requests between intermediaries. This weakness, identified as CWE‑444, can result in the server interpreting HTTP bodies in unintended ways, potentially causing data leakage, bypassing authentication, or enabling downstream attacks. The vulnerability grants attackers the possibility to alter the logical boundaries of HTTP messages, thereby compromising confidentiality, integrity, or availability of the affected application.

The impacted library is Netty, used broadly in Java‑based applications for network I/O. Versions predating 4.1.132.Final for the 4.1 branch and 4.2.10.Final for the 4.2 branch are vulnerable. Applications incorporating these Netty releases, including those that embed them as dependencies in web servers, application servers, or microservice runtimes, are at risk. Upgrading to the patched release removes the flaw.

The CVSS score of 7.5 indicates a high severity, and the EPSS score of less than 1% suggests that exploit prevalence is low at present. The vulnerability is not listed in the CISA KEV catalog, implying no known mass exploitation. Attackers can remotely submit crafted HTTP requests with chunked encoding extensions to any publicly reachable service that uses the vulnerable Netty library. The attack vector is inferred to be remote network, as the flaw is triggered by externally supplied headers in a standard HTTP request. No specific mitigation was documented besides applying the fix; exploitation would require the ability to influence the request received by the server.