Low severity2.9GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-42578

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected products

Netty/NettyGHSA
Range: >= 4.2.0.Alpha1, <= 4.2.12.Final

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.9/ 10

CVSS v42.9

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None

Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

Probability of exploitation in the next 30 days.

0.05%

VYPR risk score

Composite of severity, exploitation, and reach.

0.07low

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CVE ID

CVE-2026-42578

Credits

A
August829
reporter · ghsa