CVE-2026-50020
Undergoing Analysis Undergoing Analysis - In Progress
HTTP Request Boundary Confusion in Netty

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 Β§2.2 only asks servers to ignore empty CRLF lines preceding the request-line β€” a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50020
EUVD
EUVD-2026-36468
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netty netty to 4.2.15.Final|end_excluding=4.1.135.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Netty's HttpObjectDecoder component in versions prior to 4.1.135.Final and 4.2.15.Final. The decoder incorrectly skips all initial ISO control characters (such as NUL, SOH, STX, BEL, DEL) and whitespace before reading the first HTTP request-line, which goes beyond the allowance in RFC 9112 Β§2.2 that only permits ignoring empty CRLF lines before the request-line.

Because Netty silently consumes these extra control characters, it can cause confusion about where one HTTP request ends and another begins, especially in pipelined or multiplexed transports. This can lead to request-boundary confusion and enable HTTP request smuggling attacks, where an attacker exploits differences in how components interpret the HTTP message boundaries.

The issue arises from the HttpObjectDecoder's state machine that unconditionally skips these control characters before processing the initial request, which is inconsistent with the RFC and other components like load balancers or TLS terminators.

Compliance Impact

The vulnerability in Netty's HttpObjectDecoder causes inconsistent interpretation of HTTP requests by skipping control characters beyond what RFC 9112 permits. This can lead to request-boundary confusion and HTTP request smuggling attacks, which may result in unauthorized manipulation of HTTP requests.

Such inconsistencies and potential security issues could impact compliance with standards and regulations like GDPR and HIPAA, which require secure and reliable handling of data transmissions to protect data integrity and prevent unauthorized access.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Impact Analysis

This vulnerability can lead to HTTP request smuggling attacks, where an attacker exploits the inconsistent handling of HTTP request boundaries between Netty and other front-end components.

Such attacks can cause desynchronization between components, potentially allowing attackers to bypass security controls, inject malicious requests, or interfere with the integrity of HTTP communications.

The CVSS score of 5.3 indicates a moderate severity with a network attack vector, low complexity, no required privileges or user interaction, and a low impact on integrity.

Detection Guidance

This vulnerability involves Netty's HttpObjectDecoder incorrectly skipping arbitrary initial control characters before reading the first HTTP request-line, which can lead to request-boundary confusion and HTTP request smuggling.

To detect this vulnerability on your network or system, you can monitor HTTP traffic for unusual or unexpected control characters (such as NUL, SOH, STX, BEL, DEL) preceding the first request-line in HTTP requests handled by Netty versions prior to 4.1.135.Final and 4.2.15.Final.

Suggested commands include using packet capture tools like tcpdump or Wireshark to filter and inspect HTTP requests for control characters before the request-line. For example:

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -P '[\x00-\x1F\x7F]'
  • Use Wireshark to capture HTTP traffic and apply a display filter to find packets containing control characters in the HTTP header fields.

Additionally, testing with crafted HTTP requests containing control characters before the request-line against your Netty-based servers can help identify if the server is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade Netty to versions 4.1.135.Final or 4.2.15.Final or later, where the HttpObjectDecoder has been patched to restrict skipping to only empty CRLF lines as per RFC 9112 Β§2.2.

Until the upgrade can be applied, consider implementing additional front-end validation or filtering to detect and block HTTP requests containing unexpected control characters before the request-line.

Review and harden any front-end components such as load balancers or TLS terminators to ensure consistent handling of HTTP message boundaries to prevent desynchronization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart