HTTP Request Smuggling Affecting io.netty:netty-codec-http package, versions [,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-IONETTY-16438934
- published7 May 2026
- disclosed7 May 2026
- creditsubbudvk
Introduced: 7 May 2026
NewCVE-2026-42581 (opens in a new tab)How to fix?
Upgrade io.netty:netty-codec-http to version 4.1.133.Final, 4.2.13.Final or higher.
Overview
io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.
Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpObjectDecoder component. An attacker can manipulate downstream request interpretation by sending specially crafted HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. This can result in unauthorized access, cache poisoning, or bypassing security controls by causing downstream proxies or handlers to misinterpret message boundaries.
Note:
This is only exploitable if the deployment is behind a reverse proxy or load balancer that prioritizes the Content-Length header, the attacker can send HTTP/1.0 requests, and there is no additional HTTP/1.0 stripping layer between the attacker and the application.