{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/netty/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["netty","request-smuggling","http"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Netty\u0026rsquo;s HTTP/1.1 chunked transfer encoding extension parsing, specifically in how it handles quoted strings. This flaw, discovered during research into \u0026ldquo;Funky Chunks\u0026rdquo; HTTP request smuggling techniques, stems from Netty terminating chunk header parsing at \u003ccode\u003e\\r\\n\u003c/code\u003e inside quoted strings, instead of rejecting the request as malformed. This behavior deviates from RFC 9110, which mandates that CR (\u003ccode\u003e%x0D\u003c/code\u003e) and LF (\u003ccode\u003e%x0A\u003c/code\u003e) bytes are not permitted inside chunk extensions. This parsing differential allows attackers to smuggle HTTP requests. Versions affected include netty-codec-http \u0026lt; 4.1.132.Final and netty-codec-http versions \u0026gt;= 4.2.0.Alpha1 and \u0026lt; 4.2.10.Final. This matters for defenders because successful exploitation can lead to severe consequences, including cache poisoning and session hijacking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request with chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe request includes a chunk extension containing a quoted string with embedded \u003ccode\u003e\\r\\n\u003c/code\u003e characters. For example: \u003ccode\u003e1;a=\u0026quot;\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eNetty\u0026rsquo;s HTTP parser incorrectly terminates the chunk header parsing at the embedded \u003ccode\u003e\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe remaining portion of the intended chunk extension and the subsequent chunk data are interpreted as the beginning of a new HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a smuggled HTTP request, such as \u003ccode\u003eGET /smuggled HTTP/1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable server processes both the initial and smuggled requests on the same connection.\u003c/li\u003e\n\u003cli\u003eThe smuggled request is executed, potentially bypassing security controls or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe server returns responses for both requests, potentially leading to cache poisoning or other malicious outcomes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to request smuggling, allowing attackers to inject arbitrary HTTP requests into a connection. This can result in cache poisoning, where smuggled responses may poison shared caches. Additionally, access control bypasses can occur, where smuggled requests circumvent frontend security controls. Session hijacking is also possible, where smuggled requests may intercept responses intended for other users. The impact is significant as it can compromise the confidentiality, integrity, and availability of web applications and services using vulnerable Netty versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to remediate CVE-2026-33870.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Netty Chunked Transfer Encoding Request Smuggling\u0026rdquo; to identify potentially malicious requests exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for HTTP requests with chunked transfer encoding and chunk extensions containing quoted strings with embedded carriage returns and line feeds (\u003ccode\u003e\\r\\n\u003c/code\u003e) to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to 127.0.0.1 on port 8080 which is used in the proof of concept for request smuggling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:51:27Z","date_published":"2026-03-26T18:51:27Z","id":"/briefs/2026-04-netty-chunked-smuggling/","summary":"Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \\r\\n inside quoted strings instead of rejecting the malformed request.","title":"Netty HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","url":"https://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","http2","netty","cve-2026-33871"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Netty HTTP/2 CONTINUATION Frame Flood vulnerability (CVE-2026-33871) allows a remote, unauthenticated user to trigger a Denial of Service (DoS) condition on a Netty-based HTTP/2 server. This is achieved by sending a flood of HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. The vulnerability exists because Netty\u0026rsquo;s \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e does not enforce a limit on the number of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames it processes after receiving a \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag. The zero-byte payload bypasses the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection, as this protection is only triggered when the added payload has a non-zero length. This forces the server to consume excessive CPU resources, monopolizing a connection thread and rendering the server unresponsive to legitimate requests. This vulnerability impacts Netty versions prior to 4.1.132.Final and versions between 4.2.0.Alpha1 and 4.2.10.Final.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the targeted Netty HTTP/2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP/2 \u003ccode\u003eHEADERS\u003c/code\u003e frame to initiate a new stream. The \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag is deliberately omitted from this frame.\u003c/li\u003e\n\u003cli\u003eThe server, upon receiving the \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag, prepares to receive subsequent \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the server with a series of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. These frames are sent over the established TCP connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e processes each \u003ccode\u003eCONTINUATION\u003c/code\u003e frame, but the \u003ccode\u003everifyContinuationFrame()\u003c/code\u003e method fails to enforce a limit on the number of received frames.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHeadersBlockBuilder.addFragment()\u003c/code\u003e method processes the zero-byte payload, bypassing the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection. The server CPU continues to process the stream of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe server exhausts CPU resources on the connection thread, as it is continuously processing the flood of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to connect to the server or experience significant delays due to the server\u0026rsquo;s unresponsiveness. This leads to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a CPU-based Denial of Service (DoS). All services using the vulnerable Netty HTTP/2 server implementation are susceptible. An unauthenticated attacker can exhaust server CPU resources, preventing legitimate users from accessing the service. The minimal bandwidth requirement for this attack makes it practical and scalable, allowing an attacker to disrupt services with limited resources. Successful exploitation results in service unavailability, impacting business operations and user experience.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to patch CVE-2026-33871.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames to mitigate the impact of a flood attack. Consider implementing this at the application level if upgrading Netty is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage on servers running Netty HTTP/2 services. Alert on sustained high CPU usage, which may indicate an ongoing attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:51:14Z","date_published":"2026-03-26T18:51:14Z","id":"/briefs/2026-05-03-netty-http2-dos/","summary":"A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 \u003c 4.1.132.Final and netty-codec-http2 versions \u003e= 4.2.0.Alpha1 and \u003c 4.2.10.Final.","title":"Netty HTTP/2 CONTINUATION Frame Flood Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-03-netty-http2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Netty","version":"https://jsonfeed.org/version/1.1"}