{"id":"CVE-2021-21409","details":"Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.","aliases":["GHSA-f256-j965-7f32"],"modified":"2026-04-11T23:34:01.375090Z","published":"2021-03-30T15:15:14.573Z","related":["CGA-w5v7-493q-c2hq","GHSA-f256-j965-7f32","GHSA-wm47-8v5p-wjpj","MGASA-2021-0374","SUSE-SU-2022:1315-1","openSUSE-SU-2024:14442-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4885"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"},{"type":"ADVISORY","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210604-0003/"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"ccb3ff388f2eb0d107e746fc8b7222b98dd0339a"},{"fixed":"b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.61"}]}},{"type":"GIT","repo":"https://github.com/oracle/helidon","events":[{"introduced":"0"},{"last_affected":"1c36ce7b6f19282361f30643ce7b973545cbdd67"},{"introduced":"0"},{"last_affected":"c51cf34df1c7aa4cebe165c13525bcd492912288"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.10"},{"introduced":"0"},{"last_affected":"2.4.0"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"23590232e1cbfa38916951508719cd0ce5f0767e"},{"introduced":"0"},{"last_affected":"7bdb007f650a604f589eb44264b4df4800f697c0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.7.0"},{"introduced":"0"},{"last_affected":"1.13.7"}]}}],"versions":["1.13.7.Final","1.4.10","1.7.0.Final","2.4.0","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.60.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"vanir_signatures":[{"id":"CVE-2021-21409-2dd43cd2","deprecated":false,"signature_version":"v1","target":{"file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432","digest":{"line_hashes":["13838573216768640385759793565529255181","64590118773695994096416701453684169693","40366867890308275733641722075111913202","99442970543979916107411405808344167983","198242231044819727702710407131067821833","225394451863276396159374637437669084843","301911554181015496237786310350552407434","139803867202197457261202793786133121803","110545635642286327695068815175686630525","102270329366318299529951125491743550036","96141737589129960175616447517902386799"],"threshold":0.9}},{"id":"CVE-2021-21409-50ee60f4","deprecated":false,"signature_version":"v1","target":{"function":"onHeadersRead","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432","digest":{"length":2300,"function_hash":"248404261420512246011971280766729204064"}},{"id":"CVE-2021-21409-c44b07e9","deprecated":false,"signature_version":"v1","target":{"file":"codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432","digest":{"line_hashes":["198474550372756316732781608140999075472","222075586400587720623712958327292286488","2476563565448013713485613998268497641","284125967723317361815743930750478417322","123032726700344086474560707545944672027","321810393895313652773431334759360777572","339270693203750699307445382171447256840","157960450431527514498381399403836862564"],"threshold":0.9}},{"id":"CVE-2021-21409-fc46fd41","deprecated":false,"signature_version":"v1","target":{"function":"headerMultipleContentLengthValidationShouldPropagate","file":"codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432","digest":{"length":424,"function_hash":"241598310014639263931222477268701821567"}}],"vanir_signatures_modified":"2026-04-11T23:34:01Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21409.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"1.14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"fixed":"9.2.6.3"}]},{"events":[{"introduced":"0"},{"fixed":"21.1.12"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.11"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}