CVE-2026-42581: Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

May 7, 2026

HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling.

References

github.com/advisories/GHSA-xxqh-mfjm-7mv9
github.com/netty/netty
github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9
nvd.nist.gov/vuln/detail/CVE-2026-42581

Code Behaviors & Features

Detect and mitigate CVE-2026-42581 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →