CVE-2026-50020

June 12, 2026, 5:16 p.m.

5.3
Medium

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Product(s) Impacted

Vendor Product Versions
Netty
  • Netty
  • <4.1.135.Final, <4.2.15.Final

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a netty netty <4.1.135.Final / / / / / / /
a netty netty <4.2.15.Final / / / / / / /

References

https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c
https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c

Tags

[email protected]
CWE-444
2026-06-12
CVE-2026-50020

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 12, 2026, 4:16 p.m.
Last Modified: June 12, 2026, 5:16 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.