CVE-2026-42581
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk44th percentile - higher than 44% of all known CVEs
Summary
A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request includes both Transfer-Encoding: chunked and Content-Length headers, HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing message boundary disagreement.
Risk Assessment
An attacker can exploit this flaw to perform request smuggling, potentially bypassing security controls, hijacking sessions, or manipulating data processed by downstream proxies or handlers.
Recommendation
Upgrade Netty to version 4.2.13.Final or 4.1.133.Final immediately, which fix the issue by removing the Content-Length header for all HTTP versions.
Original NVD description (English source)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

