Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Netty: Malformed HTTP Requests Can Cause Message Disagreement
DEBIAN-CVE-2026-42581
Summary
Netty, a network framework, has a security issue that can allow attackers to manipulate HTTP requests in a way that can cause issues for downstream servers. This can happen when a request contains conflicting headers. To fix this, update to the latest version of Netty, 4.2.13.Final or 4.1.133.Final.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | netty | All versions |
| Debian:12 | debian | netty | All versions |
| Debian:13 | debian | netty | All versions |
| Debian:14 | debian | netty | All versions |
Original title
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries bo...
Original description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
osv CVSS3.1
5.8
- https://security-tracker.debian.org/tracker/CVE-2026-42581 Vendor Advisory
Published: 13 May 2026 · Updated: 19 May 2026 · First seen: 14 May 2026