CVE-2021-21295: Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)

March 9, 2021 (updated November 7, 2023)

If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up.

References

github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
nvd.nist.gov/vuln/detail/CVE-2021-21295

Code Behaviors & Features

Detect and mitigate CVE-2021-21295 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →