CVE Catalog

CVE-2026-42581

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.59%

44th percentile - higher than 44% of all known CVEs

Summary

A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request includes both Transfer-Encoding: chunked and Content-Length headers, HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing message boundary disagreement.

Risk Assessment

An attacker can exploit this flaw to perform request smuggling, potentially bypassing security controls, hijacking sessions, or manipulating data processed by downstream proxies or handlers.

Recommendation

Upgrade Netty to version 4.2.13.Final or 4.1.133.Final immediately, which fix the issue by removing the Content-Length header for all HTTP versions.

Original NVD description (English source)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS