Listen to this Post
Before reading the first request-line, Netty’s `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is true — that’s 0x00–0x1F and `0x7F` — as well as all whitespace.
RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line, a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds.
Netty’s deviation goes much further: it unconditionally consumes any sequence of non-CRLF control bytes (including NUL, SOH, STX, BEL, DEL) before the request-line. The `ISO_CONTROL_OR_WHITESPACE` table is initialised with a loop that marks all ISO control characters as skip-worthy. The `SKIP_CONTROL_CHARS_BYTES` ByteProcessor and `LineParser.skipControlChars()` then advance the reader index past those bytes during `READ_INITIAL` state.
A front-end component (load balancer, TLS terminator) that does not perform the same scan will interpret the request boundary differently from Netty. An attacker can exploit this discrepancy to perform HTTP request smuggling, injecting a malicious request that the proxy sees as one message but Netty processes as a separate request.
No public exploit is available at this time, but the vulnerability can be weaponised in pipelined or multiplexed transports where request-boundary confusion leads to desync.
DailyCVE Form:
Platform: Netty
Version: 4.1.0–4.1.134, 4.2.0–4.2.14
Vulnerability : Request smuggling
Severity: Moderate
date: 2026-06-05
Prediction: 2026-06-15
What Undercode Say:
Check Netty version in Maven pom.xml
grep -A 5 'netty-codec-http' pom.xml | grep -E '<version>|artifactId'
Scan for vulnerable versions
VULN_VERSIONS=("4.1.0" "4.1.134" "4.2.0" "4.2.14")
for ver in "${VULN_VERSIONS[@]}"; do
find . -name ".jar" -exec grep -l "netty-codec-http-$ver" {} \;
done
Verify ISO_CONTROL_OR_WHITESPACE behaviour in live system
curl -v -H "Content-Length: 0" --data-binary $'\x00\x01GET / HTTP/1.1\r\nHost: victim.com\r\n\r\n' http://target/
How Exploit:
- Send a crafted HTTP request prefixed with `\x00` (NUL) and `\x01` (SOH) bytes.
- Netty’s `HttpObjectDecoder` silently skips these bytes and processes the subsequent `GET` as a valid request.
- A load balancer or proxy that does NOT strip these bytes will see a different message boundary, enabling a smuggled second request.
Protection:
- Upgrade to Netty `4.1.135.Final` or
4.2.15.Final. - Enable `strictLineParsing` in `HttpObjectDecoder` configuration to reject non-CRLF control bytes.
- Deploy a WAF rule that blocks
0x00–0x1Fand `0x7F` bytes before the HTTP method.
Impact:
- Remote attacker can smuggle arbitrary HTTP requests.
- Bypass front-end access controls.
- Corrupt responses served to other legitimate clients, leading to client timeouts and denial of service in load-balanced environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
