CVE-2026-42581 netty CVE debrief

Who should care

Organizations running Netty-based applications as HTTP servers, proxies, or load balancers, particularly those handling HTTP/1.0 traffic or operating in multi-hop proxy architectures where downstream components may interpret headers differently.

Technical summary

The vulnerability stems from inconsistent header handling between HTTP protocol versions in Netty's HttpObjectDecoder. For HTTP/1.1, when both Transfer-Encoding: chunked and Content-Length headers are present, the decoder strips Content-Length to prevent ambiguity. However, this protection is not applied to HTTP/1.0 requests. An attacker can exploit this by sending an HTTP/1.0 request with both headers, causing Netty to process the body as chunked (per Transfer-Encoding) while forwarding Content-Length intact. If downstream components trust Content-Length, they may interpret message boundaries differently, allowing request smuggling. The fix in 4.1.133.Final and 4.2.13.Final extends the Content-Length stripping protection to HTTP/1.0 requests.

Defensive priority

medium

Recommended defensive actions

• Upgrade Netty to version 4.1.133.Final or 4.2.13.Final or later
• Review HTTP proxy and load balancer configurations to ensure consistent handling of Transfer-Encoding and Content-Length headers
• Implement additional request validation at proxy layers to detect conflicting headers
• Monitor for anomalous HTTP/1.0 requests with both Transfer-Encoding: chunked and Content-Length headers

Evidence notes

The CVE description and NVD record confirm the vulnerability affects HTTP/1.0 requests specifically, with the guard present for HTTP/1.1 but absent for HTTP/1.0. The GitHub Security Advisory provides vendor confirmation and mitigation guidance.

Official resources