PT-2026-28107 · Netty+1 · Netty+1
Xclow3N
·
Publicado
2026-03-25
·
Atualizado
2026-05-18
·
CVE-2026-33870
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Netty versions prior to 4.1.132.Final and 4.2.10.Final
Description
Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Specifically, Netty terminates chunk header parsing at carriage return/newline characters within quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers. The root cause is that Netty does not validate that carriage return/line feed bytes are forbidden inside chunk extensions before the terminating carriage return/line feed. A request containing carriage return/line feed bytes within a chunk extension value should be rejected outright as invalid. This issue can lead to request smuggling, cache poisoning, access control bypass, and session hijacking.
Recommendations
Update to Netty version 4.1.132.Final or 4.2.10.Final.
Exploit
Correção
HTTP Request/Response Smuggling
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Confluence
Netty