netty-codec-http-4.1.119.Final.jar: 4 vulnerabilities (highest severity is: 7.5) #284
Description
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (netty-codec-http version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2026-33870 |  High |
7.5 | Not Defined | netty-codec-http-4.1.119.Final.jar | Direct | io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final | ❌ | ||
| CVE-2025-67735 |  Medium |
6.5 | Not Defined | 0.0% | netty-codec-http-4.1.119.Final.jar | Direct | https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final | ✅ | |
| CVE-2025-58057 | Medium |
5.3 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 4.1.125.Final | ✅ | |
| CVE-2025-58056 | Medium |
5.3 | Not Defined | 0.0% | netty-codec-http-4.1.119.Final.jar | Direct | 4.1.125.Final | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33870
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered during research into the "Funky Chunks" HTTP request smuggling techniques: - "https://w4ke.info/2025/06/18/funky-chunks.html" (https://w4ke.info/2025/06/18/funky-chunks.html) - "https://w4ke.info/2025/10/29/funky-chunks-2.html" (https://w4ke.info/2025/10/29/funky-chunks-2.html) The original research tested various chunk extension parsing differentials but did not cover quoted-string handling within extension values. Technical Details RFC 9110 Section 7.1.1 defines chunked transfer encoding: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) chunk-ext-val = token / quoted-string RFC 9110 Section 5.6.4 defines quoted-string: quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE Critically, the allowed character ranges within a quoted-string are: qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text quoted-pair = "" ( HTAB / SP / VCHAR / obs-text ) CR ("%x0D") and LF ("%x0A") bytes fall outside all of these ranges and are therefore not permitted inside chunk extensions—whether quoted or unquoted. A strictly compliant parser should reject any request containing CR or LF bytes before the actual line terminator within a chunk extension with a "400 Bad Request" response (as Squid does, for example). Vulnerability Netty terminates chunk header parsing at "\r\n" inside quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers, which can be exploited for request smuggling. Expected behavior (RFC-compliant): A request containing CR/LF bytes within a chunk extension value should be rejected outright as invalid. Actual behavior (Netty): Chunk: 1;a="value ^^^^^ parsing terminates here at \r\n (INCORRECT) Body: here"... is treated as body or the beginning of a subsequent request The root cause is that Netty does not validate that CR/LF bytes are forbidden inside chunk extensions before the terminating CRLF. Rather than attempting to parse through quoted strings, the appropriate fix is to reject such requests entirely. Proof of Concept #!/usr/bin/env python3 import socket payload = ( b"POST / HTTP/1.1\r\n" b"Host: localhost\r\n" b"Transfer-Encoding: chunked\r\n" b"\r\n" b'1;a="\r\n' b"X\r\n" b"0\r\n" b"\r\n" b"GET /smuggled HTTP/1.1\r\n" b"Host: localhost\r\n" b"Content-Length: 11\r\n" b"\r\n" b'"\r\n' b"Y\r\n" b"0\r\n" b"\r\n" ) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(3) sock.connect(("127.0.0.1", 8080)) sock.sendall(payload) response = b"" while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk except socket.timeout: break sock.close() print(f"Responses: {response.count(b'HTTP/')}") print(response.decode(errors="replace")) Result: The server returns two HTTP responses from a single TCP connection, confirming request smuggling. Parsing Breakdown | Parser | Request 1 | Request 2 | |-----------------------|-------------------|------------------------------------| | Netty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED) | | RFC-compliant parser | 400 Bad Request | (none — malformed request rejected)| Impact - Request Smuggling: An attacker can inject arbitrary HTTP requests into a connection. - Cache Poisoning: Smuggled responses may poison shared caches. - Access Control Bypass: Smuggled requests can circumvent frontend security controls. - Session Hijacking: Smuggled requests may intercept responses intended for other users. Reproduction 1. Start the minimal proof-of-concept environment using the provided Docker configuration. 2. Execute the proof-of-concept script included in the attached archive. Suggested Fix The parser should reject requests containing CR or LF bytes within chunk extensions rather than attempting to interpret them: 3. Read chunk-size. 4. If ';' is encountered, begin parsing extensions: a. For each byte before the terminating CRLF: - If CR (%x0D) or LF (%x0A) is encountered outside the final terminating CRLF, reject the request with 400 Bad Request. b. If the extension value begins with DQUOTE, validate that all enclosed bytes conform to the qdtext / quoted-pair grammar. 5. Only treat CRLF as the chunk header terminator when it appears outside any quoted-string context and contains no preceding illegal bytes. Acknowledgments Credit to Ben Kallus for clarifying the RFC interpretation during discussion on the HAProxy mailing list. Resources - "RFC 9110: HTTP Semantics (Sections 5.6.4, 7.1.1)" (https://www.rfc-editor.org/rfc/rfc9110) - "Funky Chunks Research" (https://w4ke.info/2025/06/18/funky-chunks.html) - "Funky Chunks 2 Research" (https://w4ke.info/2025/10/29/funky-chunks-2.html) Attachments "Vulnerability Diagram" (https://github.com/user-attachments/assets/2faaa23e-693b-4efc-afb7-aae1d4101e7e) "java_netty.zip" (https://github.com/user-attachments/files/24697955/java_netty.zip)
Publish Date: 2026-03-26
URL: CVE-2026-33870
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
CVE-2025-67735
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
In order to enable automatic remediation, please create workflow rules
CVE-2025-58057
Vulnerable Libraries - netty-codec-4.1.119.Final.jar, netty-codec-http-4.1.119.Final.jar
netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-codec-http-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.125.Final
In order to enable automatic remediation, please create workflow rules
CVE-2025-58056
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution: 4.1.125.Final
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules