CVE-2026-33870

Exploit

EPSS 0.02%
Veröffentlicht 27.03.2026 19:54:15
Zuletzt bearbeitet 30.03.2026 20:12:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netty ≫ Netty Version < 4.1.132

Netty ≫ Netty Version >= 4.2.0 < 4.2.10

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.057

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://w4ke.info/2025/06/18/funky-chunks.html

Technical Description

https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8

Vendor Advisory

Exploit

Mitigation

https://w4ke.info/2025/10/29/funky-chunks-2.html

Technical Description

https://www.rfc-editor.org/rfc/rfc9110

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2026-33870

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33870

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33870

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33870