CVE-2026-50020
Published:June 12, 2026
Updated:June 18, 2026
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, "HttpObjectDecoder" skips every byte for which "Character.isISOControl(b)" is "true" (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Affected Packages
https://github.com/netty/netty.git (GITHUB):
Affected version(s) >=netty-tag <4.1.135.FinalFix Suggestion:
Update to version 4.1.135.Finalio.netty:netty-codec-http (JAVA):
Affected version(s) >=4.0.0.Alpha1 <4.1.135.FinalFix Suggestion:
Update to version 4.1.135.Finalio.netty:netty-codec-http (JAVA):
Affected version(s) >=4.2.0.Final <4.2.15.FinalFix Suggestion:
Update to version 4.2.15.FinalRelated Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
EPSS
Base Score:
0.23