Description
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Netty's DefaultHttpRequest and DefaultFullHttpRequest classes allows bypassing request-line validation when the URI is later changed via setUri(). While the constructors reject control characters that could corrupt the start line, setUri() does not perform the same checks. When an attacker controls the input to setUri(), the unvalidated URI is written directly into the request line by HttpRequestEncoder and RtspEncoder, enabling CRLF injection and the insertion of additional HTTP or RTSP requests. This can lead to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side, exposing confidentiality, integrity, and availability risks.

Affected Systems

The vulnerability affects the Netty networking library, specifically netty:netty. Versions prior to 4.2.13.Final and 4.1.133.Final are impacted. Applications that embed these older Netty releases are therefore at risk.

Risk and Exploitability

With a CVSS score of 5.3 the risk is moderate. Because the exploit requires execution of setUri() with attacker-controlled data, the attack surface includes services that accept user-supplied URIs. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. Nonetheless, the potential for request smuggling or injection warrants immediate attention.

Generated by OpenCVE AI on May 6, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.2.13.Final or newer, or to 4.1.133.Final or newer if using the 4.1 series
  • Wrap or refactor calls to setUri() so that the URI is validated against CRLF and whitespace characters before encoding
  • Validate or sanitize all external inputs that may be passed to setUri() to remove or reject control characters

Generated by OpenCVE AI on May 6, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8h7-rr48-vmmv Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Title Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Weaknesses CWE-444
CWE-93
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:59:59.536Z

Reserved: 2026-04-20T15:32:33.813Z

Link: CVE-2026-41417

cve-icon Vulnrichment

Updated: 2026-05-07T13:58:05.083Z

cve-icon NVD

Status : Received

Published: 2026-05-06T22:16:25.780

Modified: 2026-05-06T22:16:25.780

Link: CVE-2026-41417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses