Critical severityNVD Advisory· Published Jan 29, 2020· Updated Jul 1, 2025

CVE-2019-20444

Description

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Netty before 4.1.44 allows HTTP headers lacking a colon to be misinterpreted, leading to request smuggling or response splitting.

Vulnerability

Analysis

CVE-2019-20447 is a parsing flaw in Netty's HttpObjectDecoder.java that affects versions before 4.1.44. The root cause is that the decoder incorrectly handles HTTP header lines that do not contain a colon (:). According to the official description, such a header might be interpreted as a separate malformed header or as an "invalid fold," meaning the parser may treat it as a continuation of the previous header field value rather than a new header. This deviation from RFC 7230 parsing rules can lead to inconsistent interpretations between the HTTP frontend and backend.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTTP request or response that contains a header line without a colon. The attack surface is the network layer, as the malformed data is sent to any Netty-based server that processes HTTP messages. No authentication is required; the attack can be performed remotely by sending a specially crafted HTTP header sequence. The prerequisite is that the server uses a vulnerable version of Netty (before 4.1.44) and directly passes the parsed headers to downstream components.

Impact

Successful exploitation can result in HTTP request smuggling or response splitting, depending on whether the attack targets a request or a response. An attacker could cause the frontend and backend to disagree on request boundaries, potentially allowing the attacker to inject arbitrary HTTP requests, poison caches, or perform session hijacking [1][2]. The impact severity is high because it can bypass security controls and lead to data exposure or impersonation.

Mitigation

The Netty project fixed this issue in version 4.1.44 by properly rejecting or correcting header lines that lack a colon. Red Hat issued security updates for Netty in Red Hat Enterprise Linux (via RHSA-2020:0601) and JBoss Enterprise Application Platform (via RHSA-2020:0804, RHSA-2020:0805, RHSA-2020:0806) to include the patched version [1][2][3][4]. Users should upgrade to Netty 4.1.44 or later, or apply the relevant Red Hat erratum.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.netty:netty-codec-httpMaven	< 4.1.44	4.1.44
org.jboss.netty:nettyMaven	>= 0	—
io.netty:nettyMaven	>= 0	—

Affected products

Netty/Nettydescription
osv-coords6 versions
pkg:apk/chainguard/druid-compat pkg:apk/chainguard/hadoop-fips-3.3.6 pkg:apk/wolfi/druid-compat pkg:maven/io.netty/netty pkg:maven/io.netty/netty-codec-http pkg:maven/org.jboss.netty/netty
< 34.0.0-r6+ 5 more
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 3.3.6-r0
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: >= 0
- (no CPE)range: < 4.1.44
- (no CPE)range: >= 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

122

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.014
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000