CVE-2026-42581

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final

Description In the HttpObjectDecoder component, the software fails to strip the Content-Length header when an HTTP/1.0 request contains both Transfer-Encoding: chunked and Content-Length headers. While this conflict is handled for HTTP/1.1 messages, the guard is absent for HTTP/1.0. This allows an attacker to send a request that Netty decodes as chunked while leaving the Content-Length header intact in the forwarded HttpMessage. If a downstream proxy or handler prioritizes Content-Length over Transfer-Encoding, it will disagree on message boundaries, enabling request smuggling. This can lead to cache poisoning, session fixation, unauthorized access to internal endpoints, and the bypassing of authentication layers or Web Application Firewalls (WAF). The issue specifically involves the handleTransferEncodingChunkedWithContentLength() function.

Recommendations Update to version 4.1.133.Final or later. Update to version 4.2.13.Final or later.