io.netty:netty-codec-http 4.2.6.Final

Direct Vulnerabilities

Known vulnerabilities in the io.netty:netty-codec-http package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the `HttpObjectDecoder` component. An attacker can manipulate downstream request interpretation by sending specially crafted HTTP/1.0 requests containing both `Transfer-Encoding: chunked` and `Content-Length` headers. This can result in unauthorized access, cache poisoning, or bypassing security controls by causing downstream proxies or handlers to misinterpret message boundaries. Note: This is only exploitable if the deployment is behind a reverse proxy or load balancer that prioritizes the `Content-Length` header, the attacker can send HTTP/1.0 requests, and there is no additional HTTP/1.0 stripping layer between the attacker and the application. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
M HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the `getChunkSize` function. An attacker can inject unauthorized HTTP requests by crafting a chunk size value that causes integer overflow, allowing additional requests to be smuggled within the body of a chunked HTTP message. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
M HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the `HttpClientCodec` component. An attacker can cause response desynchronization and potentially compromise the integrity and availability of HTTP parsing by sending crafted HTTP/1.1 pipelined requests that include a HEAD request and trigger the server to send 1xx responses. This can result in unsafe reuse of the socket and misinterpretation of response bodies. Note: This is only exploitable if HTTP/1.1 pipelining is used, a HEAD request is present in the pipeline, and the server sends 1xx responses. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
M HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling when parsed HTTP requests contain malformed `Transfer-Encoding` headers. An attacker can inject unauthorized HTTP requests by crafting a request with a `Transfer-Encoding: chunked, identity` header, which is incorrectly interpreted, allowing the attacker to smuggle additional requests through the connection. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
M HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the `setUri` function. An attacker can inject arbitrary CRLF sequences into the HTTP or RTSP request line by supplying crafted input to `setUri`, leading to the creation of additional requests or manipulation of request boundaries when the object is serialized by `HttpRequestEncoder` or `RtspEncoder`. This can result in request smuggling, desynchronization, or unauthorized access to internal APIs if attacker-controlled input is passed to `setUri` and subsequently encoded. Note: This is only exploitable if all of the following conditions are met: The application uses `DefaultHttpRequest` or `DefaultFullHttpRequest`; The request object is created first and later modified through `setUri()`; The value passed into `setUri()` is attacker-controlled or attacker-influenced; The object is eventually serialized by `HttpRequestEncoder` or `RtspEncoder`. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
H HTTP Request Smuggling io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the parsing of quoted strings within chunked transfer encoding extension values. An attacker can inject arbitrary HTTP requests into a connection by crafting chunk extensions containing carriage return or line feed bytes, leading to parsing discrepancies between the server and RFC-compliant intermediaries. How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-codec-http` to version 4.1.132.Final, 4.2.12.Final or higher.	[,4.1.132.Final)[4.2.0.Alpha1,4.2.12.Final)
M CRLF Injection io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to CRLF Injection in `HttpRequestEncoder`, due to improper sanitization of a URI with line-breaks in the `DefaultHttpRequest` class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests. How to fix CRLF Injection? Upgrade `io.netty:netty-codec-http` to version 4.1.129.Final, 4.2.8.Final or higher.	[,4.1.129.Final)[4.2.0.Alpha1,4.2.8.Final)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpObjectDecoder component. An attacker can manipulate downstream request interpretation by sending specially crafted HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. This can result in unauthorized access, cache poisoning, or bypassing security controls by causing downstream proxies or handlers to misinterpret message boundaries.

Note:

This is only exploitable if the deployment is behind a reverse proxy or load balancer that prioritizes the Content-Length header, the attacker can send HTTP/1.0 requests, and there is no additional HTTP/1.0 stripping layer between the attacker and the application.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HTTP requests by crafting a chunk size value that causes integer overflow, allowing additional requests to be smuggled within the body of a chunked HTTP message.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpClientCodec component. An attacker can cause response desynchronization and potentially compromise the integrity and availability of HTTP parsing by sending crafted HTTP/1.1 pipelined requests that include a HEAD request and trigger the server to send 1xx responses. This can result in unsafe reuse of the socket and misinterpretation of response bodies.

Note:

This is only exploitable if HTTP/1.1 pipelining is used, a HEAD request is present in the pipeline, and the server sends 1xx responses.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling when parsed HTTP requests contain malformed Transfer-Encoding headers. An attacker can inject unauthorized HTTP requests by crafting a request with a Transfer-Encoding: chunked, identity header, which is incorrectly interpreted, allowing the attacker to smuggle additional requests through the connection.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the setUri function. An attacker can inject arbitrary CRLF sequences into the HTTP or RTSP request line by supplying crafted input to setUri, leading to the creation of additional requests or manipulation of request boundaries when the object is serialized by HttpRequestEncoder or RtspEncoder. This can result in request smuggling, desynchronization, or unauthorized access to internal APIs if attacker-controlled input is passed to setUri and subsequently encoded.

Note:

This is only exploitable if all of the following conditions are met:

The application uses DefaultHttpRequest or DefaultFullHttpRequest;
The request object is created first and later modified through setUri();
The value passed into setUri() is attacker-controlled or attacker-influenced;
The object is eventually serialized by HttpRequestEncoder or RtspEncoder.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

HTTP Request Smuggling

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the parsing of quoted strings within chunked transfer encoding extension values. An attacker can inject arbitrary HTTP requests into a connection by crafting chunk extensions containing carriage return or line feed bytes, leading to parsing discrepancies between the server and RFC-compliant intermediaries.

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-codec-http to version 4.1.132.Final, 4.2.12.Final or higher.

[,4.1.132.Final)[4.2.0.Alpha1,4.2.12.Final)

CRLF Injection

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks in the DefaultHttpRequest class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests.

How to fix CRLF Injection?

Upgrade io.netty:netty-codec-http to version 4.1.129.Final, 4.2.8.Final or higher.

[,4.1.129.Final)[4.2.0.Alpha1,4.2.8.Final)

io.netty:netty-codec-http@4.2.6.Final

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically