CVE-2026-33870
Received Received - Intake
HTTP Request Smuggling in Netty Due to Improper Chunked Parsing

Publication date: 2026-03-27

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33870
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.1.132 (exc)
netty netty From 4.2.0 (inc) to 4.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33870 is a vulnerability in the Netty HTTP codec where the parser incorrectly handles quoted strings within HTTP/1.1 chunked transfer encoding extension values. Specifically, Netty prematurely terminates parsing upon encountering a carriage return and line feed (\r\n) inside a quoted string, instead of continuing until the closing quote as required by RFC 9110. This misinterpretation causes part of the chunk extension to be treated as chunk data or the start of a new HTTP request.

This flaw enables HTTP request smuggling attacks, where an attacker can craft malicious HTTP requests that confuse front-end proxies and back-end servers due to inconsistent parsing of chunked encoding. The vulnerability arises from Netty's failure to properly validate and reject chunk extensions containing invalid CR or LF characters before the terminating CRLF.

Additionally, the vulnerability involves nuanced HTTP request smuggling techniques exploiting differences in how HTTP parsers interpret chunk line terminators and chunked trailer sections, leading to ambiguous chunk boundaries and enabling smuggling of hidden requests.

Impact Analysis

This vulnerability can have several serious impacts including:

  • HTTP Request Smuggling: Attackers can inject crafted HTTP requests that bypass normal request boundaries.
  • Cache Poisoning: Smuggled requests can cause shared caches to store malicious or incorrect responses.
  • Access Control Bypass: Smuggled requests may circumvent front-end security controls, allowing unauthorized access.
  • Session Hijacking: Attackers can steal or manipulate other users' sessions by injecting smuggled requests.
Detection Guidance

Detection of CVE-2026-33870 involves identifying HTTP request smuggling attempts exploiting leniencies in HTTP/1.1 chunked transfer encoding parsing, especially ambiguous chunk line terminators and chunked trailer sections.

One approach is to use specialized tools updated with blind detection payloads designed for this vulnerability, such as the "smugchunks" tool mentioned in the research.

Network monitoring can focus on detecting unusual or malformed chunked HTTP requests that contain quoted strings with embedded CR/LF sequences or ambiguous chunk terminators.

While no explicit commands are provided in the resources, using HTTP request smuggling detection tools or crafting test requests with chunk extensions containing quoted strings and embedded CR/LF sequences can help identify vulnerable systems.

Mitigation Strategies

The primary mitigation step is to upgrade Netty to a fixed version: 4.1.132.Final or later, or 4.2.12.Final or later, where the parsing issue has been corrected.

The fix involves correctly parsing quoted strings in chunk extensions by continuing until the closing double quote and rejecting any chunk extensions containing CR or LF characters before the terminating CRLF, as mandated by RFC 9110.

Additionally, ensure that any front-end proxies and back-end servers have consistent HTTP/1.1 chunked transfer encoding parsing behavior to prevent request smuggling due to parser mismatches.

If upgrading immediately is not possible, consider implementing strict input validation or filtering at the network edge to block suspicious chunked requests with malformed chunk extensions.

Compliance Impact

CVE-2026-33870 enables HTTP request smuggling attacks by exploiting incorrect parsing of HTTP/1.1 chunked transfer encoding in Netty. Such attacks can lead to unauthorized injection of HTTP requests, cache poisoning, access control bypass, and session hijacking.

These impacts can undermine the confidentiality and integrity of data handled by affected systems, potentially leading to unauthorized access or data leakage.

Consequently, organizations using vulnerable versions of Netty may face challenges in maintaining compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Failure to address this vulnerability could result in violations of these standards due to compromised security controls and potential exposure of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33870. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart