Netty, an asynchronous network application framework, contains a flaw in its chunk size parser. The parser fails to properly constrain the integer value representing the HTTP chunk size, allowing an attacker to craft requests with oversized chunk size fields that silently overflow the internal 32‑bit limit. This overflow enables HTTP request smuggling, whereby malicious requests can be split or merged across connections in ways that deviate from standard HTTP specifications, potentially bypassing downstream security controls or causing unintended server behavior. An attacker could hijack or discard legitimate requests, leading to denial of service, unauthorized data access, or arbitrary code execution if the server processes the smuggled payload.

The vulnerability affects the Netty framework, specifically the netty‑codec‑http module and core netty library, for all releases prior to 4.2.13.Final for the 4.2 series and prior to 4.1.133.Final for the 4.1 series. Any applications or services that embed these versions of Netty, such as web servers, application servers, or API gateways built on Netty, are potentially impacted.

The CVSS score of 6.5 classifies the vulnerability as medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation at the time of this report. The likely attack vector is network‑based, with an attacker crafting specially malformed HTTP chunked requests against any surface that relies on the vulnerable Netty version. Because the flaw causes a silent overflow, exploitation requires detailed knowledge of the target's HTTP handling – but once executed, it can alter request parsing, potentially allowing session fixation, data leakage, or service disruption.