Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33870
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.BoundRequestBuilder (Extension)
-> org.asynchttpclient.netty.NettyResponseFuture (Extension)
-> org.asynchttpclient.netty.timeout.TimeoutsHolder (Extension)
-> org.asynchttpclient.netty.request.NettyRequestSender (Extension)
-> org.asynchttpclient.netty.request.NettyRequestFactory (Extension)
-> ❌ io.netty.handler.codec.http.DefaultFullHttpRequest (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.02%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
CVE-2025-67735
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> org.asynchttpclient.netty.request.NettyRequestSender (Extension)
-> org.asynchttpclient.netty.request.NettyRequestFactory (Extension)
-> ❌ io.netty.handler.codec.http.DefaultHttpRequest (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.021%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58057
Vulnerable Libraries - netty-codec-4.1.119.Final.jar, netty-codec-http-4.1.119.Final.jar
netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-codec-http-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
io.netty.handler.codec.MessageAggregationException (Application)
-> io.netty.handler.codec.MessageAggregator (Extension)
-> io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator (Extension)
-> org.asynchttpclient.netty.channel.ChannelManager (Extension)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> ❌ com.opentok.util.HttpClient (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58056
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> org.asynchttpclient.netty.channel.ChannelManager (Extension)
-> io.netty.handler.codec.http.HttpClientCodec (Extension)
-> ❌ io.netty.handler.codec.http.HttpDecoderConfig (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.041%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution: 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42587
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.042%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-codec-http-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42584
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.038%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42585
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.027%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42580
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.039%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42581
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.029%
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41417
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty allows request-line validation to be bypassed when a "DefaultHttpRequest" or "DefaultFullHttpRequest" is created first and its URI is later changed via "setUri()". The constructors reject CRLF and whitespace characters that would break the start-line, but "setUri()" does not apply the same validation. "HttpRequestEncoder" and "RtspEncoder" then write the URI into the request line verbatim. If attacker-controlled input reaches "setUri()", this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-06
URL: CVE-2026-41417
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.061%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v8h7-rr48-vmmv
Release Date: 2026-05-05
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.02%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.021%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - netty-codec-4.1.119.Final.jar, netty-codec-http-4.1.119.Final.jar
netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.041%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution: 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.042%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.038%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.027%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.039%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.029%
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty allows request-line validation to be bypassed when a "DefaultHttpRequest" or "DefaultFullHttpRequest" is created first and its URI is later changed via "setUri()". The constructors reject CRLF and whitespace characters that would break the start-line, but "setUri()" does not apply the same validation. "HttpRequestEncoder" and "RtspEncoder" then write the URI into the request line verbatim. If attacker-controlled input reaches "setUri()", this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-06
URL: CVE-2026-41417
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.061%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v8h7-rr48-vmmv
Release Date: 2026-05-05
Fix Resolution: 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.