Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty versions prior to 4.2.13.Final and 4.1.133.Final have a flaw in HttpProxyHandler where HTTP CONNECT requests are constructed with header validation turned off. The code adds user‑supplied outboundHeaders without checking for CRLF sequences, allowing an attacker who can influence these headers to inject arbitrary HTTP headers into a CONNECT request sent to a proxy server. This can alter the behavior of the proxy, potentially facilitating traffic manipulation or unauthorized access, though the overall risk is limited by the modest CVSS score of 2.9. This flaw corresponds to a Header Injection weakness (CWE‑113) and an Improper URL Construction weakness (CWE‑93).

Affected Systems

The affected product is the Netty networking framework. Any deployment using Netty versions older than 4.2.13.Final or 4.1.133.Final is vulnerable, regardless of operating system or platform.

Risk and Exploitability

The CVSS score of 2.9 indicates low severity. The EPSS score of <1% shows a very low exploitation probability, and the issue is not listed in CISA KEV, suggesting it has not been widely exploited. The likely attack vector requires an attacker who can control or influence the outboundHeaders passed to HttpProxyHandler, such as an application‑side adversary. Successful exploitation would inject headers into the CONNECT request, potentially compromising traffic integrity or enabling further attacks via the proxy. Due to the low perceived impact, exploitation is considered unlikely under normal circumstances. This issue reflects a Header Injection (CWE‑113) and Improper URL Construction (CWE‑93) weakness.

Generated by OpenCVE AI on May 29, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.2.13.Final or later or 4.1.133.Final or later to ensure HttpProxyHandler enforces header validation.
  • Modify application code to validate or sanitize outboundHeaders before they are passed to HttpProxyHandler, removing any user input that could contain CRLF or other control characters, thereby addressing the header injection (CWE‑113) and malformed URL (CWE‑93) vulnerabilities.
  • If upgrading is delayed, consider disabling or avoiding the use of HttpProxyHandler until a patch is applied, and monitor proxy logs for abnormal or unexpected header injection activity.

Generated by OpenCVE AI on May 29, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45q3-82m4-75jr Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
History

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-93
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Weaknesses CWE-113
References
Metrics cvssV4_0

{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:37:18.204Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42578

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:23.210

Modified: 2026-05-18T12:54:04.453

Link: CVE-2026-42578

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:57:43Z

Links: CVE-2026-42578 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T02:15:16Z

Weaknesses