{"id":"CVE-2021-43797","details":"Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.","aliases":["GHSA-wx5j-54mm-rqqq"],"modified":"2026-04-11T18:45:42.722142Z","published":"2021-12-09T19:15:07.960Z","related":["CGA-9pj8-4gmp-wp6g","GHSA-wx5j-54mm-rqqq","SUSE-SU-2022:1271-1","SUSE-SU-2022:2047-1","openSUSE-SU-2024:11743-1","openSUSE-SU-2024:11981-1"],"references":[{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220107-0003/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"2e346c1d1d6fc58762f52fd31ee4dc5a92d3a5bd"},{"fixed":"07aa6b5938a8b6ed7a6586e066400e2643897323"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.71"}]}},{"type":"GIT","repo":"https://github.com/oracle/helidon","events":[{"introduced":"0"},{"fixed":"4a757131019b969d91a6eeeda9da2e4063e0e107"},{"introduced":"0"},{"last_affected":"101f1aaf0f9c993eb1da721dc0e5494627b4ce6b"},{"introduced":"0"},{"last_affected":"1c36ce7b6f19282361f30643ce7b973545cbdd67"},{"introduced":"0"},{"last_affected":"c51cf34df1c7aa4cebe165c13525bcd492912288"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.3"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"1.4.10"},{"introduced":"0"},{"last_affected":"2.4.0"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"6378c69703a485f55b3d221493b5f1e3cfdf9003"},{"introduced":"0"},{"last_affected":"6378c69703a485f55b3d221493b5f1e3cfdf9003"},{"introduced":"0"},{"last_affected":"19f493aee8083cacba182d11945a3e99c2e45db4"},{"introduced":"0"},{"last_affected":"e0ec828bc92ce02c8bd29fa37e9e07f16eea28f4"},{"introduced":"0"},{"last_affected":"23590232e1cbfa38916951508719cd0ce5f0767e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.7"},{"introduced":"0"},{"last_affected":"2.7.0"},{"introduced":"0"},{"last_affected":"1.11.0"},{"introduced":"0"},{"last_affected":"1.8.0"},{"introduced":"0"},{"last_affected":"1.7.0"}]}}],"versions":["1.11.0.Final","1.4.10","1.7.0.Final","1.8.0.Final","2.4.0","2.6.2","2.7.0.Final","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.60.Final","netty-4.1.61.Final","netty-4.1.62.Final","netty-4.1.63.Final","netty-4.1.64.Final","netty-4.1.65.Final","netty-4.1.66.Final","netty-4.1.67.Final","netty-4.1.68.Final","netty-4.1.69.Final","netty-4.1.7.Final","netty-4.1.70.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"function":"splitHeader","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":721,"function_hash":"18233425441436127750782009070532165344"},"deprecated":false,"id":"CVE-2021-43797-06e8f123"},{"signature_version":"v1","target":{"function":"testContentLengthHeaderAndChunked","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":625,"function_hash":"172481325208139734420814766658866698590"},"deprecated":false,"id":"CVE-2021-43797-1a525c75"},{"signature_version":"v1","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"threshold":0.9,"line_hashes":["309063670718511852852130624213590019128","236028198603043349454850779406824610877","270842797415329582936981774885370126028","186080358750429610931052563775734784239","226215294083256624125810313988307288511","226227342066640177055081876388804373096","138994542358011796466486833744208061858","105230826901819499999452807477415866947","334664931806984178562747170361686518977","161248011630319998146678241255534469769","261672280417367862732224899564577162249","17628894065973736492298769263740826268","103878262630415130004754967443765499734","11026235238673042823005249559779410821","166716581219736466294267342503528367140","142448574484156466214458763293749879625","60843268908281218031061033820250491848"]},"deprecated":false,"id":"CVE-2021-43797-26cc52ea"},{"signature_version":"v1","target":{"function":"validateHeaderNameElement","file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":425,"function_hash":"269494387521881585452919491774019618154"},"deprecated":false,"id":"CVE-2021-43797-4a51298f"},{"signature_version":"v1","target":{"function":"testWhitespaceBeforeTransferEncoding01","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":181,"function_hash":"120389524553676198839368369664138070526"},"deprecated":false,"id":"CVE-2021-43797-519021ec"},{"signature_version":"v1","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"threshold":0.9,"line_hashes":["242725271108212257826686151719562831231","277129886284590452125535259180690183607","37624302477473825498411741862664336775","228917488556910377238465181157986725774","140034408903480898175462269668254395793","68545724326011841925920210003172109296","152338190554326077557988043637150582391","228917488556910377238465181157986725774"]},"deprecated":false,"id":"CVE-2021-43797-51bcc4f8"},{"signature_version":"v1","target":{"function":"testWhitespaceBeforeTransferEncoding02","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":255,"function_hash":"78882820443181217366376297190537956095"},"deprecated":false,"id":"CVE-2021-43797-6743f810"},{"signature_version":"v1","target":{"function":"findNonWhitespace","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":464,"function_hash":"226325652847968273253557520703398600741"},"deprecated":false,"id":"CVE-2021-43797-896c8431"},{"signature_version":"v1","target":{"function":"testInvalidHeaders0","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":350,"function_hash":"143355351109797365878732174997598858949"},"deprecated":false,"id":"CVE-2021-43797-89cf9790"},{"signature_version":"v1","target":{"file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"threshold":0.9,"line_hashes":["293566301854528473193701345220748168838","20493677530200135325719121561137500047","82344960543321320024408399124961733412","35637158797269933644520018473969402735","305950220969642324533573865219745257664","58081112648400015918910281176725437563","179050730279709306629066176660033019123","80143913047974372073414469457521783394","134919843011996964607502088886550557098","314471269814671764574450078684188688628","145458788300236256083064394210482398959","203505929758462516178032321139310340588","315989757269814039419848914586085166430","130910431073191905943905706865477642212","295279021656024965261560235598398861142","96053510847438498522627689639769355831","41606000927528761739111858373969682165","156109033474320444970105423142755047758","337890363482822668905493818716498701024","169870631923428948851627051058605385542","89943439626233183666145654945487999257","290012946538219556351694370753142870168","320931445265113101257787127976293787177","168085210419525997325080145804884642040","180226531019266707085505012886586320307","258175206180267023907493838535738061655","50103203110654270618969763800831939362","307126096742608635079049137510492356186","235725288567037057814612777792344782235"]},"deprecated":false,"id":"CVE-2021-43797-bee6ba3d"},{"signature_version":"v1","target":{"file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java"},"signature_type":"Line","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"threshold":0.9,"line_hashes":["327084716185792067665855380440375424198","280137859413748684000047352190436860807"]},"deprecated":false,"id":"CVE-2021-43797-ccd3136b"},{"signature_version":"v1","target":{"function":"validateHeaderNameElement","file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"signature_type":"Function","source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","digest":{"length":423,"function_hash":"270361193334713344899991966096587179287"},"deprecated":false,"id":"CVE-2021-43797-ecaa030e"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"vanir_signatures_modified":"2026-04-11T18:45:42Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}