CVE-2026-42585 Netty CVE debrief

Who should care

Organizations running Netty-based HTTP servers, reverse proxies, or API gateways; development teams using Netty for network application frameworks; security teams responsible for web application firewall rule validation and HTTP traffic inspection

Technical summary

The vulnerability exists in Netty's HTTP codec implementation where malformed Transfer-Encoding headers are not properly validated or rejected. HTTP request smuggling occurs when discrepancies between front-end and back-end servers in interpreting request boundaries allow attackers to prepend malicious content to legitimate requests. The attack typically involves crafting requests with ambiguous or malformed Transfer-Encoding values that one server interprets differently than another. Successful exploitation can bypass security controls, access unauthorized resources, or poison caches. The fix in 4.1.133.Final and 4.2.13.Final corrects the parsing logic to properly handle malformed Transfer-Encoding headers according to HTTP specification requirements.

Defensive priority

medium

Recommended defensive actions

• Upgrade Netty to version 4.1.133.Final or 4.2.13.Final or later
• Review HTTP proxy/gateway configurations for request smuggling exposure
• Implement additional front-end validation for Transfer-Encoding headers where immediate patching is not feasible
• Monitor for anomalous HTTP traffic patterns indicating potential smuggling attempts
• Validate that downstream services are not vulnerable to desynchronized request interpretation

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-38f8-5428-x5cv with exploit details and vendor patch availability. CPE criteria specify affected version ranges: all versions below 4.1.133.Final and 4.2.0 through 4.2.12.Final. CWE-444 (HTTP Request Smuggling) classified as secondary weakness. CVSS vector confirms network-accessible attack with confidentiality and integrity impacts.

Official resources