CVE-2026-33870

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

CVSS 7.5 HIGHEPSS 0.5%CWE-444

In short

Netty has a flaw in how it reads certain HTTP request formatting rules, allowing attackers to send specially crafted requests that can bypass security checks or trick the server into processing malicious commands.

Technical detail

Netty versions prior to 4.1.132.Final and 4.2.10.Final contain an HTTP request smuggling vulnerability (CWE-444) in chunked transfer encoding extension parsing. The framework incorrectly interprets quoted strings in chunk extension values, permitting an attacker to inject ambiguous requests that are processed differently by intermediary proxies and backend servers, potentially leading to request filtering bypass or cache poisoning.

Summary generated and translated by AI from the official description.

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

netty · netty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8 https://w4ke.info/2025/06/18/funky-chunks.html https://w4ke.info/2025/10/29/funky-chunks-2.html https://www.rfc-editor.org/rfc/rfc9110