CVE-2021-43797

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.71.Final

Description The issue is related to the incorrect handling of control characters in header names, which could lead to HTTP request smuggling. According to the specification, control characters at the beginning or end of the header name are not allowed. The software should fail fast when encountering such characters, but instead, it skips them. This can cause the software to "sanitize" header names before forwarding them to another remote system when used as a proxy, potentially allowing an attacker to impact the integrity of protected information.

Recommendations For Netty versions prior to 4.1.71.Final, users should upgrade to version 4.1.71.Final to resolve the issue. As a temporary workaround, consider disabling the use of control characters in header names until a patch is available. Restrict access to the proxy functionality to minimize the risk of exploitation. Avoid using the affected Netty version as a proxy until the issue is resolved.