VYPR
High severityNVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

CVE-2026-33870

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.netty:netty-codec-httpMaven
< 4.1.132.Final4.1.132.Final
io.netty:netty-codec-httpMaven
>= 4.2.0.Alpha1, < 4.2.10.Final4.2.10.Final

Affected products

260

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.