Overview
About vulnerability
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.Details
- Affected product:
- Apache CXF , Apache Kafka , Apache Log4j , Apache Lucene , Apache Solr , Apache Spark , Eclipse Jetty , Netty , React , Spring , Wildfly , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , camel , cassandra-java-driver , couchbase-jvm-clients , docker-java , elasticsearch , flink , flink-shaded , grpc-java , grpc-netty , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , olingo-odata4 , pulsar , rabbitmq-stream-java-client , rsocket-java , tika , vert.x , wildfly , zendesk-java-client , zookeeper
- Affected packages:
- netty-common @ 4.1.107.Final (+12207 more)