{"id":"CVE-2021-21295","details":"Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.","aliases":["BIT-zookeeper-2021-21295","GHSA-wm47-8v5p-wjpj"],"modified":"2026-04-11T23:33:59.736465Z","published":"2021-03-09T19:15:12.657Z","related":["CGA-hw8x-848c-wv4m","GHSA-wm47-8v5p-wjpj","MGASA-2021-0374","SUSE-SU-2022:1271-1","openSUSE-SU-2021:0448-1","openSUSE-SU-2024:11085-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4885"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210604-0003/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"},{"type":"FIX","url":"https://github.com/Netflix/zuul/pull/980"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/kudu","events":[{"introduced":"0"},{"fixed":"5cd6779a073ce02e19a3794dd19657df6aeea86c"},{"introduced":"0"},{"last_affected":"f9a1c3b2bae482ec1f44f78eea7c96c01455c20a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.16.0"},{"introduced":"0"},{"last_affected":"1.14.0"}]}},{"type":"GIT","repo":"https://github.com/apache/zookeeper","events":[{"introduced":"0"},{"last_affected":"83df9301aa5c2a5d284a9940177808c01bc35cef"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.5.9"}]}},{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"eef26e8bb571612b76235841a84f605b9ae5d777"},{"fixed":"89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.60"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"7bdb007f650a604f589eb44264b4df4800f697c0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.13.7"}]}}],"versions":["1.13.7.Final","1.14.0","1.14.0-RC1","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final","release-3.5.3","release-3.5.3-rc0","release-3.5.3-rc1","release-3.5.4","release-3.5.4-rc0","release-3.5.9","release-3.5.9-rc0","release-3.5.9-rc1","release-3.5.9-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21295.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures_modified":"2026-04-11T23:33:59Z","vanir_signatures":[{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-076b3ec5","target":{"function":"setup","file":"codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Function","digest":{"length":3367,"function_hash":"163131827113553283573844942889829219890"}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-216e269d","target":{"function":"onDataRead","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Function","digest":{"length":1776,"function_hash":"13121290283312984908769800193190709635"}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-4eedce72","target":{"function":"onHeadersRead","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Function","digest":{"length":1745,"function_hash":"128044597731365074561874345448063835682"}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-a76263b7","target":{"file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["56801147450464915608998571466296945863","305787734193413226865597980471825739760","176320523147012450593030853993821327774","328234067401346632819186893881124413590","178909883660891606341138859683996519690","117473473298518506572612753114190829377","306524088069364581824744845396008845471","117657372999695485907251383292519926534","90095140119087404172067345192533290154","304205579781524715678478014827083073728","175791843801440861430177089523629387278","88545892492473711316712938769548881976","71410437774918518317867979898141400014","10479739303966359378562229528357192268","227908318583809173522812830450313273528","320253033835078425890951820027553641654","167637645316055634972802575172582973514","201699643622103271051135051452302913307","335659523283194323915172657828209262801","217680393614924871033195702334336205272","61315750306711228537583588486184248967","133900362357527303460237906110176880081","211645333342385333571813385344744813794","46219337575958502899013754661525049534","124269086603415208659607819358758503214","330004896875272548683785211390276273849","223894373512718001275955688513063374981","104709013446280129249792480036482959307","63277730938516402947096361918302154010","326818812999830356969684829816190328475","235303252092448803718369134685771971368","102113664438365445319651651762671979029","238884840896936821260275221957201547135","50929174104698332345549418113424668182","297831061452507531023591738340990418765","305581139940413303909949211743152590001","272289468428134422709572328812929650679","18240670485617348217017990696544482939","5161616558033022922717277269623311214","19962446268599148731404030178213257047"]}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-a9c4ad9d","target":{"function":"readHeaders","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Function","digest":{"length":2005,"function_hash":"136039075965439866115078610044858331213"}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-aba17309","target":{"function":"DefaultHttp2ConnectionDecoder","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Function","digest":{"length":762,"function_hash":"9084650937557526153332955569107186263"}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-dca6c806","target":{"file":"codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["126344892869594928014044763305123625331","87074137958240970938389127507030116076","190907003409725621268836162597533271784","16349625658632855229629297345956181671","263391697929191456185666087747494324715","336916350501142639771636661717585389262","302205978192499199118830293330389027250","123925897227127822382557495418897418418","69894908558659461431779000122533191348","3853748565542205885409537983304468450","39395700946577790170576037310444002434","306197664328722483981957097939818245176","293149647761448423733898173348094430012","26260724055893472957663343342004780214","148560416443248551818340986676877237494","68285722545211170465444984656998271118","166465438176436264342148049123294004266","316545207810442875339905924506419806583","62964032188391783466358178842237132936","281598869966825558931979861765142415609","325023474999970616961394501424910823943"]}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-e06a9d85","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["164397687793919126235382670453790406125","145113729578345138538789037881964768050","245439652996296190444180521130132207242","213414524208182422546049020380734385626","254962056978756764886241622967337234349","310352253922811771755203309566863156039","317942778590860116440094703626850807135","14291648473826393899311187209913117543","64031734714818190934801921273335133522","291122773435198562375316743309903221812","251844405650014314219319891077685940750","170408057795286915143819984119014287317","142864601630603117362517797545603901407","275853528944319188776588937526294529797","214785981059220793922361684158690628085","151900491808285659094273936863652390687","65528626281378921832933716922633210756","264779714317578818787512444478284950345","214482292268366476038742898540697200546","184265540816685878914732024960009028313","104050348910002138347870741001997459839","214159995791178535385466432015784882617","67629897710851728596128133578550349496","70518487440308753413412217038549562636","205518209126584430943038427760694954857","1701292401270369422684318588660195476","61446602767138634013576343845334059744","330401013916243809353447802369666586028","70752595030837459442815352221321875452","12416604800241386987751795228893204740","42871084117433635731663370747703421593","146667816185960961753749311893918699035"]}},{"signature_version":"v1","deprecated":false,"id":"CVE-2021-21295-f8c8dec9","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpUtil.java"},"source":"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["260905483037379100448616532127950713170","155881490674833820368238073283249505901","245912528762103197135989277749650384584","249085615949756701494769549826034618887","203156711581673838062272706559020996798","130117003699404404611541727559836666176","14919518235588270136619744552154121517","312811872835529731788902708862002934525","292991496705391134366628779717611022012","312649191103442262961422826374096300794","237207830113709018856736220745747906307","279379860327261942888738829983651561825"]}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}