Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, an asynchronous network application framework, contains a flaw that allows HTTP requests with malformed Transfer-Encoding headers to be parsed incorrectly. This misparsing enables an attacker to smuggle multiple requests into a single connection, potentially bypassing security controls that rely on correct request boundaries.

Affected Systems

The flaw is present in Netty core and the HTTP codec module prior to versions 4.2.13.Final and 4.1.133.Final. Users running those earlier releases are susceptible.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, but the EPSS score is not available, and the issue is not listed in CISA KEV. Attacks are likely to be remote, requiring an attacker to inject malformed headers over the network. The impact is confined to request smuggling without direct code execution.

Generated by OpenCVE AI on May 13, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to the fixed releases 4.2.13.Final or later, or 4.1.133.Final or later, to address the parsing bug.
  • If an immediate upgrade is not possible, implement stricter validation or normalisation of Transfer-Encoding headers before they reach the Netty parser, rejecting malformed values to prevent smuggling.
  • Re‑evaluate front‑end proxies or load balancers to ensure they do not forward or accept malformed Transfer-Encoding headers and monitor for suspicious request patterns.

Generated by OpenCVE AI on May 13, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38f8-5428-x5cv Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding
History

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-http
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-http
Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Io.netty Netty-codec-http
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T20:34:21.305Z

Reserved: 2026-04-28T17:26:12.086Z

Link: CVE-2026-42585

cve-icon Vulnrichment

Updated: 2026-05-15T20:33:01.224Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:24.187

Modified: 2026-05-18T12:24:23.970

Link: CVE-2026-42585

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T18:12:39Z

Links: CVE-2026-42585 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:03Z

Weaknesses