CVE-2021-21409

Name of the Vulnerable Software and Affected Versions io.netty:netty-codec-http2 versions prior to 4.1.61.Final

Description The issue is related to a lack of proper validation of the content-length header in HTTP/2 requests. If a request only uses a single Http2HeaderFrame with the endStream set to true, the content-length header is not correctly validated. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.

Recommendations For versions prior to 4.1.61.Final, update to version 4.1.61.Final to resolve the issue. As a temporary workaround, users can perform validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec. Validation can also be done by the user before proxying the request by validating the header.