CVE-2021-21295

Name of the Vulnerable Software and Affected Versions io.netty:netty-codec-http2 versions prior to 4.1.60.Final

Description The issue is related to the handling of HTTP/2 requests in the Netty framework, specifically when the Content-Length header is present. If a request comes in as an HTTP/2 stream and is converted to HTTP/1.1 domain objects via Http2StreamFrameToHttpObjectCodec, it may result in request smuggling when proxied through a remote peer as HTTP/1.1. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. Users are only affected if HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer.

Recommendations For versions prior to 4.1.60.Final, update to version 4.1.60.Final or later to resolve the issue. As a temporary workaround, users can implement a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec to perform the validation themselves.