Netty 4.x Request Smuggling via Malformed Transfer-Encoding (before 4.2.13/4.1.133)
CVE-2026-42585 Published on May 13, 2026
Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Vulnerability Analysis
CVE-2026-42585 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2026-42585 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2026-42585
Want to know whenever a new CVE is published for Netty? stack.watch will email you.
Affected Versions
netty:- Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected.
- Version < 4.1.133.Final is affected.
- Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected.
- Version < 4.1.133.Final is affected.