|
Vulnerabilities
< Back

CVE-2026-42585

Updated on 13 May 2026

Severity

6.5 Medium severity

Details

CVSS score
6.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Details

Affected product:
Apache CXF , Apache Kafka , Apache Log4j , Apache Lucene , Apache Spark , Eclipse Jetty , Netty , Spring , Wildfly , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , camel , cassandra-java-driver , couchbase-jvm-clients , docker-java , elasticsearch , grpc-java , grpc-netty , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , olingo-odata4 , pulsar , rabbitmq-stream-java-client , rsocket-java , tika , vert.x , wildfly , zendesk-java-client , zookeeper
Affected packages:
grpc-netty @ 1.47.0 (+6935 more)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.