Medium severity5.3GHSA Advisory· Published May 6, 2026· Updated May 11, 2026

CVE-2026-41417

Description

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.netty:netty-codec-httpMaven	< 4.1.133.Final	4.1.133.Final
io.netty:netty-codec-httpMaven	>= 4.2.0.Alpha1, < 4.2.13.Final	4.2.13.Final

Affected products

Netty/NettyGHSA2 versions
>= 4.2.0.Alpha1, <= 4.2.12.Final+ 1 more
- (no CPE)range: >= 4.2.0.Alpha1, <= 4.2.12.Final
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*range: <4.1.133

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmvnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-v8h7-rr48-vmmvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41417ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000