{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["http/2","denial-of-service","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in multiple HTTP/2 implementations that can be exploited by an unauthenticated, remote attacker to conduct a denial-of-service (DoS) attack. The specific details of the vulnerability aren\u0026rsquo;t disclosed in this brief, but the generic nature of the vulnerability means a wide array of servers are possibly vulnerable. Defenders need to focus on detecting anomalous HTTP/2 traffic patterns, given the lack of a specific CVE or patch information in the original source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes an HTTP/2 connection with a vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of specially crafted HTTP/2 requests. Due to the vulnerability, these requests consume excessive server resources.\u003c/li\u003e\n\u003cli\u003eThe server begins to experience performance degradation due to resource exhaustion (CPU, memory, or network bandwidth).\u003c/li\u003e\n\u003cli\u003eLegitimate user requests are delayed or dropped as the server struggles to process the malicious traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to send malicious HTTP/2 requests, sustaining the resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe server becomes unresponsive, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering affected servers and services unavailable. The number of potential victims is broad, encompassing any system utilizing a vulnerable HTTP/2 implementation. The impact ranges from temporary service outages to prolonged periods of unavailability, causing business disruption and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for anomalous HTTP/2 traffic patterns, specifically focusing on request rates and resource consumption (CPU, memory, network) using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for HTTP/2 connections to mitigate the impact of excessive requests.\u003c/li\u003e\n\u003cli\u003eConsider deploying a Web Application Firewall (WAF) to inspect and filter HTTP/2 traffic for known malicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:21:36Z","date_published":"2026-04-01T09:21:36Z","id":"/briefs/2026-04-http2-dos/","summary":"A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.","title":"HTTP/2 Implementations Vulnerability Enables Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-04-http2-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["netty","request-smuggling","http"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Netty\u0026rsquo;s HTTP/1.1 chunked transfer encoding extension parsing, specifically in how it handles quoted strings. This flaw, discovered during research into \u0026ldquo;Funky Chunks\u0026rdquo; HTTP request smuggling techniques, stems from Netty terminating chunk header parsing at \u003ccode\u003e\\r\\n\u003c/code\u003e inside quoted strings, instead of rejecting the request as malformed. This behavior deviates from RFC 9110, which mandates that CR (\u003ccode\u003e%x0D\u003c/code\u003e) and LF (\u003ccode\u003e%x0A\u003c/code\u003e) bytes are not permitted inside chunk extensions. This parsing differential allows attackers to smuggle HTTP requests. Versions affected include netty-codec-http \u0026lt; 4.1.132.Final and netty-codec-http versions \u0026gt;= 4.2.0.Alpha1 and \u0026lt; 4.2.10.Final. This matters for defenders because successful exploitation can lead to severe consequences, including cache poisoning and session hijacking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request with chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe request includes a chunk extension containing a quoted string with embedded \u003ccode\u003e\\r\\n\u003c/code\u003e characters. For example: \u003ccode\u003e1;a=\u0026quot;\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eNetty\u0026rsquo;s HTTP parser incorrectly terminates the chunk header parsing at the embedded \u003ccode\u003e\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe remaining portion of the intended chunk extension and the subsequent chunk data are interpreted as the beginning of a new HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a smuggled HTTP request, such as \u003ccode\u003eGET /smuggled HTTP/1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable server processes both the initial and smuggled requests on the same connection.\u003c/li\u003e\n\u003cli\u003eThe smuggled request is executed, potentially bypassing security controls or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe server returns responses for both requests, potentially leading to cache poisoning or other malicious outcomes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to request smuggling, allowing attackers to inject arbitrary HTTP requests into a connection. This can result in cache poisoning, where smuggled responses may poison shared caches. Additionally, access control bypasses can occur, where smuggled requests circumvent frontend security controls. Session hijacking is also possible, where smuggled requests may intercept responses intended for other users. The impact is significant as it can compromise the confidentiality, integrity, and availability of web applications and services using vulnerable Netty versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to remediate CVE-2026-33870.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Netty Chunked Transfer Encoding Request Smuggling\u0026rdquo; to identify potentially malicious requests exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for HTTP requests with chunked transfer encoding and chunk extensions containing quoted strings with embedded carriage returns and line feeds (\u003ccode\u003e\\r\\n\u003c/code\u003e) to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to 127.0.0.1 on port 8080 which is used in the proof of concept for request smuggling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:51:27Z","date_published":"2026-03-26T18:51:27Z","id":"/briefs/2026-04-netty-chunked-smuggling/","summary":"Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \\r\\n inside quoted strings instead of rejecting the malformed request.","title":"Netty HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","url":"https://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/"}],"language":"en","title":"CraftedSignal Threat Feed — Http","version":"https://jsonfeed.org/version/1.1"}