https://feed.craftedsignal.io/tags/http/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 01 Apr 2026 09:21:36 +0000https://feed.craftedsignal.io/briefs/2026-04-http2-dos/Wed, 01 Apr 2026 09:21:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-http2-dos/A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.A vulnerability exists in multiple HTTP/2 implementations that can be exploited by an unauthenticated, remote attacker to conduct a denial-of-service (DoS) attack. The specific details of the vulnerability aren’t disclosed in this brief, but the generic nature of the vulnerability means a wide array of servers are possibly vulnerable. Defenders need to focus on detecting anomalous HTTP/2 traffic patterns, given the lack of a specific CVE or patch information in the original source.

Attack Chain

1. The attacker establishes an HTTP/2 connection with a vulnerable server.
2. The attacker sends a series of specially crafted HTTP/2 requests. Due to the vulnerability, these requests consume excessive server resources.
3. The server begins to experience performance degradation due to resource exhaustion (CPU, memory, or network bandwidth).
4. Legitimate user requests are delayed or dropped as the server struggles to process the malicious traffic.
5. The attacker continues to send malicious HTTP/2 requests, sustaining the resource exhaustion.
6. The server becomes unresponsive, resulting in a denial-of-service condition for legitimate users.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition, rendering affected servers and services unavailable. The number of potential victims is broad, encompassing any system utilizing a vulnerable HTTP/2 implementation. The impact ranges from temporary service outages to prolonged periods of unavailability, causing business disruption and potential financial losses.

Recommendation

• Monitor web server logs for anomalous HTTP/2 traffic patterns, specifically focusing on request rates and resource consumption (CPU, memory, network) using the provided Sigma rule.
• Implement rate limiting for HTTP/2 connections to mitigate the impact of excessive requests.
• Consider deploying a Web Application Firewall (WAF) to inspect and filter HTTP/2 traffic for known malicious patterns.

]]>mediumadvisoryhttp/2denial-of-servicewebserverhttps://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Thu, 26 Mar 2026 18:51:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \r\n inside quoted strings instead of rejecting the malformed request.A vulnerability exists in Netty’s HTTP/1.1 chunked transfer encoding extension parsing, specifically in how it handles quoted strings. This flaw, discovered during research into “Funky Chunks” HTTP request smuggling techniques, stems from Netty terminating chunk header parsing at \r\n inside quoted strings, instead of rejecting the request as malformed. This behavior deviates from RFC 9110, which mandates that CR (%x0D) and LF (%x0A) bytes are not permitted inside chunk extensions. This parsing differential allows attackers to smuggle HTTP requests. Versions affected include netty-codec-http < 4.1.132.Final and netty-codec-http versions >= 4.2.0.Alpha1 and < 4.2.10.Final. This matters for defenders because successful exploitation can lead to severe consequences, including cache poisoning and session hijacking.

Attack Chain

1. The attacker sends a crafted HTTP request with chunked transfer encoding.
2. The request includes a chunk extension containing a quoted string with embedded \r\n characters. For example: 1;a="\r\n.
3. Netty’s HTTP parser incorrectly terminates the chunk header parsing at the embedded \r\n.
4. The remaining portion of the intended chunk extension and the subsequent chunk data are interpreted as the beginning of a new HTTP request.
5. The attacker injects a smuggled HTTP request, such as GET /smuggled HTTP/1.1.
6. The vulnerable server processes both the initial and smuggled requests on the same connection.
7. The smuggled request is executed, potentially bypassing security controls or accessing sensitive data.
8. The server returns responses for both requests, potentially leading to cache poisoning or other malicious outcomes.

Impact

Successful exploitation of this vulnerability can lead to request smuggling, allowing attackers to inject arbitrary HTTP requests into a connection. This can result in cache poisoning, where smuggled responses may poison shared caches. Additionally, access control bypasses can occur, where smuggled requests circumvent frontend security controls. Session hijacking is also possible, where smuggled requests may intercept responses intended for other users. The impact is significant as it can compromise the confidentiality, integrity, and availability of web applications and services using vulnerable Netty versions.

Recommendation

• Upgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to remediate CVE-2026-33870.
• Deploy the Sigma rule “Detect Netty Chunked Transfer Encoding Request Smuggling” to identify potentially malicious requests exploiting this vulnerability.
• Inspect web server logs for HTTP requests with chunked transfer encoding and chunk extensions containing quoted strings with embedded carriage returns and line feeds (\r\n) to identify exploitation attempts.
• Monitor network traffic for connections to 127.0.0.1 on port 8080 which is used in the proof of concept for request smuggling.

]]>highadvisorynettyrequest-smugglinghttp