{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33870", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.678Z", "datePublished": "2026-03-27T19:54:15.586Z", "dateUpdated": "2026-03-31T13:55:47.863Z"}, "containers": {"cna": {"title": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"}, {"name": "https://w4ke.info/2025/06/18/funky-chunks.html", "tags": ["x_refsource_MISC"], "url": "https://w4ke.info/2025/06/18/funky-chunks.html"}, {"name": "https://w4ke.info/2025/10/29/funky-chunks-2.html", "tags": ["x_refsource_MISC"], "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"}, {"name": "https://www.rfc-editor.org/rfc/rfc9110", "tags": ["x_refsource_MISC"], "url": "https://www.rfc-editor.org/rfc/rfc9110"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "< 4.1.132.Final", "status": "affected"}, {"version": ">= 4.2.0.Alpha1, < 4.2.10.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:54:15.586Z"}, "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."}], "source": {"advisory": "GHSA-pwqr-wmgm-9rr8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:55:28.970197Z", "id": "CVE-2026-33870", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:55:47.863Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33870", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:55:28.970197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:55:43.820Z"}}], "cna": {"title": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing", "source": {"advisory": "GHSA-pwqr-wmgm-9rr8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "< 4.1.132.Final"}, {"status": "affected", "version": ">= 4.2.0.Alpha1, < 4.2.10.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8", "name": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://w4ke.info/2025/06/18/funky-chunks.html", "name": "https://w4ke.info/2025/06/18/funky-chunks.html", "tags": ["x_refsource_MISC"]}, {"url": "https://w4ke.info/2025/10/29/funky-chunks-2.html", "name": "https://w4ke.info/2025/10/29/funky-chunks-2.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.rfc-editor.org/rfc/rfc9110", "name": "https://www.rfc-editor.org/rfc/rfc9110", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:54:15.586Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33870", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:55:47.863Z", "dateReserved": "2026-03-24T15:10:05.678Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:54:15.586Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F551B7E-5E29-4062-8FDB-AA1377B3E8F5", "versionEndExcluding": "4.1.132", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "419E92FA-6271-4613-AF3D-CF09ADFF2E13", "versionEndExcluding": "4.2.10", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."}], "id": "CVE-2026-33870", "lastModified": "2026-03-30T20:12:16.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:34.663", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://w4ke.info/2025/06/18/funky-chunks.html"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://www.rfc-editor.org/rfc/rfc9110"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values", "id": "2452453", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33870", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-ekb-dispatcher-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-ekb-receiver-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "bazel6", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "bazel7", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "bazel8", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/server-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-27T19:54:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33870\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33870\nhttps://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8\nhttps://w4ke.info/2025/06/18/funky-chunks.html\nhttps://w4ke.info/2025/10/29/funky-chunks-2.html\nhttps://www.rfc-editor.org/rfc/rfc9110"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.132.Final)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2.0.Alpha1,4.2.10.Final)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "netty", "source": "cna", "vendor": "netty"}, "product": "netty", "vendor": "netty"}], "analysis": {"en": {"generated_at": "2026-03-31T04:23:45.271700+00:00", "value": {"mitigation_remediation": ["Upgrade Netty to version 4.1.132.Final or later or 4.2.10.Final or later", "Verify that all dependent libraries in the application tree reference the updated Netty release", "If the application bundles Netty within a container or framework, update that container or framework to a version that includes the patched Netty release", "After the upgrade, conduct security testing to confirm that request smuggling is no longer possible"], "summary": {"action": "Patch Immediately", "impact": "HTTP Request Smuggling via incorrect quoted\u2011string parsing"}, "threat_synthesis": {"affected_systems": "The impacted library is Netty, used broadly in Java\u2011based applications for network I/O. Versions predating 4.1.132.Final for the 4.1 branch and 4.2.10.Final for the 4.2 branch are vulnerable. Applications incorporating these Netty releases, including those that embed them as dependencies in web servers, application servers, or microservice runtimes, are at risk. Upgrading to the patched release removes the flaw.", "description_and_impact": "Netty versions prior to 4.1.132.Final and 4.2.10.Final parse quoted strings in HTTP/1.1 chunked transfer encoding extensions incorrectly, allowing attackers to smuggle requests between intermediaries. This weakness, identified as CWE\u2011444, can result in the server interpreting HTTP bodies in unintended ways, potentially causing data leakage, bypassing authentication, or enabling downstream attacks. The vulnerability grants attackers the possibility to alter the logical boundaries of HTTP messages, thereby compromising confidentiality, integrity, or availability of the affected application.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, and the EPSS score of less than 1% suggests that exploit prevalence is low at present. The vulnerability is not listed in the CISA KEV catalog, implying no known mass exploitation. Attackers can remotely submit crafted HTTP requests with chunked encoding extensions to any publicly reachable service that uses the vulnerable Netty library. The attack vector is inferred to be remote network, as the flaw is triggered by externally supplied headers in a standard HTTP request. No specific mitigation was documented besides applying the fix; exploitation would require the ability to influence the request received by the server."}}}}, "created": "2026-03-29T20:30:16.386178+00:00", "updated": "2026-03-31T20:00:45.516722+00:00", "vendors": ["netty", "netty$PRODUCT$netty"]}