CVE-2026-42578

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final

Description Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() function creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF (Carriage Return Line Feed) validation. CRLF injection is a technique where an attacker inserts special characters to manipulate the structure of an HTTP request. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server.

Recommendations Update to version 4.1.133.Final or newer. Update to version 4.2.13.Final or newer. As a temporary workaround, restrict access to the outboundHeaders variable or ensure that any user-supplied data passed to the HttpProxyHandler constructor is strictly sanitized to remove CRLF characters.