Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HTTP parser historically removed a conflicting Content‑Length header when both Transfer‑Encoding: chunked and Content‑Length appeared together in HTTP/1.1 requests. However, for HTTP/1.0 incoming requests the sanitization guard was omitted. An attacker can send an HTTP/1.0 message containing both headers, causing Netty to parse the body as chunked while retaining the Content‑Length value in the forwarded message. Downstream proxies or handlers that rely on Content‑Length instead of Transfer‑Encoding will see misaligned boundaries, enabling classic request smuggling. This can lead to message injection, credential leakage, or denial of service, depending on how the downstream component processes the body.

Affected Systems

The vulnerability affects any application that uses Netty versions prior to 4.2.13.Final or 4.1.133.Final. The affected vendor is Netty, and the impacted product is the Netty networking framework. The fix is available in the referenced releases.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity. EPSS data is not available, and the flaw is not listed in CISA KEV, so the likelihood of widespread exploitation is uncertain. Nevertheless, the attack vector is straightforward: an attacker simply sends a crafted HTTP/1.0 request to any service that uses an affected Netty version, and the mis‑parsed message boundaries create an exploitable smuggling condition. The mitigations rely on version upgrade or runtime checks, so without these the risk remains moderate to high for exposed services.

Generated by OpenCVE AI on May 13, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.13.Final or newer, or 4.1.133.Final or newer
  • Implement a middleware policy that rejects or normalizes HTTP/1.0 requests containing both Transfer‑Encoding: chunked and Content‑Length headers, ensuring downstream components do not rely on the stale Content‑Length value
  • Configure upstream proxies or firewalls to reject HTTP/1.0 requests that include both Transfer‑Encoding and Content‑Length headers, or enforce strict header validation

Generated by OpenCVE AI on May 13, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxqh-mfjm-7mv9 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:42:59.711Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42581

cve-icon Vulnrichment

Updated: 2026-05-13T18:42:53.380Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:23.627

Modified: 2026-05-18T13:14:18.723

Link: CVE-2026-42581

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:54:44Z

Links: CVE-2026-42581 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:15:04Z

Weaknesses