CVE-2026-41417
Received Received - Intake
BaseFortify

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-07
EPSS Evaluated
N/A
NVD
CVE-2026-41417
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Netty where request-line validation can be bypassed if a DefaultHttpRequest or DefaultFullHttpRequest is created first and then its URI is changed later using the setUri() method.

While the constructors reject CRLF and whitespace characters that would break the start-line, the setUri() method does not perform the same validation.

As a result, the HttpRequestEncoder and RtspEncoder write the URI into the request line exactly as provided, allowing an attacker to inject CRLF characters and additional HTTP or RTSP requests.

This can lead to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side.

The issue is fixed in Netty versions 4.2.13.Final and 4.1.133.Final.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform HTTP request smuggling or desynchronization, which can lead to unauthorized request injection.

Such attacks can bypass security controls, manipulate web application behavior, or cause unexpected processing of requests.

On the RTSP side, it can enable injection of additional RTSP requests, potentially disrupting streaming services or allowing unauthorized commands.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update Netty to versions 4.2.13.Final or 4.1.133.Final where the issue is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart