CVE-2024-40642

Name of the Vulnerable Software and Affected Versions netty incubator codec.bhttp versions prior to 0.0.13.Final

Description The BinaryHttpParser class does not properly validate input values, giving attackers almost complete control over the HTTP requests constructed from the parsed output. Attackers can abuse several issues individually to perform various injection attacks, including HTTP request smuggling, desync attacks, HTTP header injections, request queue poisoning, caching attacks, and Server Side Request Forgery (SSRF). The BinaryHttpParser class implements the readRequestHead method, which performs most of the relevant parsing of the received request. The data structure prefixes values with a variable length integer value. The parsing code first gets the lengths of the values from the prefixed variable length integer, then casts the applicable slices of the ByteBuf to String, and finally passes these values into a new DefaultBinaryHttpRequest object where no further parsing or validation occurs. Method is partially validated while other values are not validated at all. Software that relies on netty to apply input validation for binary HTTP data may be vulnerable to various injection and protocol-based attacks.

Recommendations For versions prior to 0.0.13.Final, upgrade to version 0.0.13.Final to address the issue. There are no known workarounds for this vulnerability. As a temporary workaround, consider restricting the use of the BinaryHttpParser class until a patch is available. Avoid using the readRequestHead method in the BinaryHttpParser class until the issue is resolved. Restrict access to the DefaultBinaryHttpRequest object to minimize the risk of exploitation.