CVE-2026-41417

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final

Description Request-line validation can be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created and its URI is subsequently modified using the setUri() function. While constructors reject CRLF (Carriage Return Line Feed) and whitespace characters to prevent start-line corruption, setUri() does not perform this validation. Consequently, HttpRequestEncoder and RtspEncoder write the URI into the request line verbatim. If attacker-controlled input is passed to setUri(), it enables CRLF injection and the insertion of additional HTTP or RTSP requests. This can lead to HTTP request smuggling, desynchronization on the HTTP side, and request injection on the RTSP side.

Recommendations Update to version 4.1.133.Final or later. Update to version 4.2.13.Final or later. As a temporary workaround, avoid using the setUri() function with attacker-controlled input.