CVE-2026-41417
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| netty | netty | >= 4.2.0.Alpha1, <= 4.2.12.Final | affected |
| netty | netty | <= 4.1.132.Final | affected |
Weaknesses
- CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.