https://feed.craftedsignal.io/tags/netty/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 26 Mar 2026 18:51:27 +0000https://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Thu, 26 Mar 2026 18:51:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-netty-chunked-smuggling/Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \r\n inside quoted strings instead of rejecting the malformed request.A vulnerability exists in Netty’s HTTP/1.1 chunked transfer encoding extension parsing, specifically in how it handles quoted strings. This flaw, discovered during research into “Funky Chunks” HTTP request smuggling techniques, stems from Netty terminating chunk header parsing at \r\n inside quoted strings, instead of rejecting the request as malformed. This behavior deviates from RFC 9110, which mandates that CR (%x0D) and LF (%x0A) bytes are not permitted inside chunk extensions. This parsing differential allows attackers to smuggle HTTP requests. Versions affected include netty-codec-http < 4.1.132.Final and netty-codec-http versions >= 4.2.0.Alpha1 and < 4.2.10.Final. This matters for defenders because successful exploitation can lead to severe consequences, including cache poisoning and session hijacking.

Attack Chain

1. The attacker sends a crafted HTTP request with chunked transfer encoding.
2. The request includes a chunk extension containing a quoted string with embedded \r\n characters. For example: 1;a="\r\n.
3. Netty’s HTTP parser incorrectly terminates the chunk header parsing at the embedded \r\n.
4. The remaining portion of the intended chunk extension and the subsequent chunk data are interpreted as the beginning of a new HTTP request.
5. The attacker injects a smuggled HTTP request, such as GET /smuggled HTTP/1.1.
6. The vulnerable server processes both the initial and smuggled requests on the same connection.
7. The smuggled request is executed, potentially bypassing security controls or accessing sensitive data.
8. The server returns responses for both requests, potentially leading to cache poisoning or other malicious outcomes.

Impact

Successful exploitation of this vulnerability can lead to request smuggling, allowing attackers to inject arbitrary HTTP requests into a connection. This can result in cache poisoning, where smuggled responses may poison shared caches. Additionally, access control bypasses can occur, where smuggled requests circumvent frontend security controls. Session hijacking is also possible, where smuggled requests may intercept responses intended for other users. The impact is significant as it can compromise the confidentiality, integrity, and availability of web applications and services using vulnerable Netty versions.

Recommendation

• Upgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to remediate CVE-2026-33870.
• Deploy the Sigma rule “Detect Netty Chunked Transfer Encoding Request Smuggling” to identify potentially malicious requests exploiting this vulnerability.
• Inspect web server logs for HTTP requests with chunked transfer encoding and chunk extensions containing quoted strings with embedded carriage returns and line feeds (\r\n) to identify exploitation attempts.
• Monitor network traffic for connections to 127.0.0.1 on port 8080 which is used in the proof of concept for request smuggling.

]]>highadvisorynettyrequest-smugglinghttphttps://feed.craftedsignal.io/briefs/2026-05-03-netty-http2-dos/Thu, 26 Mar 2026 18:51:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-03-netty-http2-dos/A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 < 4.1.132.Final and netty-codec-http2 versions >= 4.2.0.Alpha1 and < 4.2.10.Final.The Netty HTTP/2 CONTINUATION Frame Flood vulnerability (CVE-2026-33871) allows a remote, unauthenticated user to trigger a Denial of Service (DoS) condition on a Netty-based HTTP/2 server. This is achieved by sending a flood of HTTP/2 CONTINUATION frames, each containing a zero-byte payload. The vulnerability exists because Netty’s DefaultHttp2FrameReader does not enforce a limit on the number of CONTINUATION frames it processes after receiving a HEADERS frame without the END_HEADERS flag. The zero-byte payload bypasses the maxHeaderListSize protection, as this protection is only triggered when the added payload has a non-zero length. This forces the server to consume excessive CPU resources, monopolizing a connection thread and rendering the server unresponsive to legitimate requests. This vulnerability impacts Netty versions prior to 4.1.132.Final and versions between 4.2.0.Alpha1 and 4.2.10.Final.

Attack Chain

1. The attacker establishes a TCP connection to the targeted Netty HTTP/2 server.
2. The attacker sends an HTTP/2 HEADERS frame to initiate a new stream. The END_HEADERS flag is deliberately omitted from this frame.
3. The server, upon receiving the HEADERS frame without the END_HEADERS flag, prepares to receive subsequent CONTINUATION frames.
4. The attacker floods the server with a series of CONTINUATION frames, each containing a zero-byte payload. These frames are sent over the established TCP connection.
5. The DefaultHttp2FrameReader processes each CONTINUATION frame, but the verifyContinuationFrame() method fails to enforce a limit on the number of received frames.
6. The HeadersBlockBuilder.addFragment() method processes the zero-byte payload, bypassing the maxHeaderListSize protection. The server CPU continues to process the stream of CONTINUATION frames.
7. The server exhausts CPU resources on the connection thread, as it is continuously processing the flood of CONTINUATION frames.
8. Legitimate users are unable to connect to the server or experience significant delays due to the server’s unresponsiveness. This leads to a denial of service.

Impact

This vulnerability leads to a CPU-based Denial of Service (DoS). All services using the vulnerable Netty HTTP/2 server implementation are susceptible. An unauthenticated attacker can exhaust server CPU resources, preventing legitimate users from accessing the service. The minimal bandwidth requirement for this attack makes it practical and scalable, allowing an attacker to disrupt services with limited resources. Successful exploitation results in service unavailability, impacting business operations and user experience.

Recommendation

• Upgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to patch CVE-2026-33871.
• Implement rate limiting on HTTP/2 CONTINUATION frames to mitigate the impact of a flood attack. Consider implementing this at the application level if upgrading Netty is not immediately feasible.
• Monitor CPU usage on servers running Netty HTTP/2 services. Alert on sustained high CPU usage, which may indicate an ongoing attack.
• Deploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.

]]>highadvisorydenial-of-servicehttp2nettycve-2026-33871