7.5

CVE-2026-33870

Exploit

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NettyNetty Version < 4.1.132
NettyNetty Version >= 4.2.0 < 4.2.10
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.64% 0.461
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://w4ke.info/2025/06/18/funky-chunks.html
Technical Description
https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8
Vendor Advisory
Exploit
Mitigation
https://w4ke.info/2025/10/29/funky-chunks-2.html
Technical Description
https://www.rfc-editor.org/rfc/rfc9110
Technical Description
https://access.redhat.com/errata/RHSA-2026:10184
https://access.redhat.com/errata/RHSA-2026:18059
https://access.redhat.com/errata/RHSA-2026:18054
https://access.redhat.com/errata/RHSA-2026:18055
https://access.redhat.com/errata/RHSA-2026:17668
https://access.redhat.com/errata/RHSA-2026:13571
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:8509
https://access.redhat.com/errata/RHSA-2026:14272
https://access.redhat.com/errata/RHSA-2026:14276
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:7109
https://access.redhat.com/errata/RHSA-2026:7380
https://access.redhat.com/errata/RHSA-2026:22619
https://access.redhat.com/errata/RHSA-2026:8159
https://access.redhat.com/security/cve/CVE-2026-33870
https://bugzilla.redhat.com/show_bug.cgi?id=2452453
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33870.json
https://access.redhat.com/errata/RHSA-2026:34608