CVE-2026-33870
HTTP Request Smuggling in Netty Due to Improper Chunked Parsing
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | netty | to 4.1.132 (exc) |
| netty | netty | From 4.2.0 (inc) to 4.2.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33870 is a vulnerability in the Netty HTTP codec where the parser incorrectly handles quoted strings within HTTP/1.1 chunked transfer encoding extension values. Specifically, Netty prematurely terminates parsing upon encountering a carriage return and line feed (\r\n) inside a quoted string, instead of continuing until the closing quote as required by RFC 9110. This misinterpretation causes part of the chunk extension to be treated as chunk data or the start of a new HTTP request.
This flaw enables HTTP request smuggling attacks, where an attacker can craft malicious HTTP requests that confuse front-end proxies and back-end servers due to inconsistent parsing of chunked encoding. The vulnerability arises from Netty's failure to properly validate and reject chunk extensions containing invalid CR or LF characters before the terminating CRLF.
Additionally, the vulnerability involves nuanced HTTP request smuggling techniques exploiting differences in how HTTP parsers interpret chunk line terminators and chunked trailer sections, leading to ambiguous chunk boundaries and enabling smuggling of hidden requests.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts including:
- HTTP Request Smuggling: Attackers can inject crafted HTTP requests that bypass normal request boundaries.
- Cache Poisoning: Smuggled requests can cause shared caches to store malicious or incorrect responses.
- Access Control Bypass: Smuggled requests may circumvent front-end security controls, allowing unauthorized access.
- Session Hijacking: Attackers can steal or manipulate other users' sessions by injecting smuggled requests.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-33870 involves identifying HTTP request smuggling attempts exploiting leniencies in HTTP/1.1 chunked transfer encoding parsing, especially ambiguous chunk line terminators and chunked trailer sections.
One approach is to use specialized tools updated with blind detection payloads designed for this vulnerability, such as the "smugchunks" tool mentioned in the research.
Network monitoring can focus on detecting unusual or malformed chunked HTTP requests that contain quoted strings with embedded CR/LF sequences or ambiguous chunk terminators.
While no explicit commands are provided in the resources, using HTTP request smuggling detection tools or crafting test requests with chunk extensions containing quoted strings and embedded CR/LF sequences can help identify vulnerable systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33870 enables HTTP request smuggling attacks by exploiting incorrect parsing of HTTP/1.1 chunked transfer encoding in Netty. Such attacks can lead to unauthorized injection of HTTP requests, cache poisoning, access control bypass, and session hijacking.
These impacts can undermine the confidentiality and integrity of data handled by affected systems, potentially leading to unauthorized access or data leakage.
Consequently, organizations using vulnerable versions of Netty may face challenges in maintaining compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.
Failure to address this vulnerability could result in violations of these standards due to compromised security controls and potential exposure of protected data.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Netty to a fixed version: 4.1.132.Final or later, or 4.2.12.Final or later, where the parsing issue has been corrected.
The fix involves correctly parsing quoted strings in chunk extensions by continuing until the closing double quote and rejecting any chunk extensions containing CR or LF characters before the terminating CRLF, as mandated by RFC 9110.
Additionally, ensure that any front-end proxies and back-end servers have consistent HTTP/1.1 chunked transfer encoding parsing behavior to prevent request smuggling due to parser mismatches.
If upgrading immediately is not possible, consider implementing strict input validation or filtering at the network edge to block suspicious chunked requests with malformed chunk extensions.