VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-50020

CVE-2026-50020

Description

Netty's HttpObjectDecoder skips arbitrary initial control characters, enabling HTTP request smuggling in pipelined/multiplexed transports.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Netty's HttpObjectDecoder skips arbitrary initial control characters, enabling HTTP request smuggling in pipelined/multiplexed transports.

Vulnerability

In Netty's HttpObjectDecoder (in io.netty:netty-codec-http), the decoder unconditionally skips every byte for which Character.isISOControl(b) is true (0x00–0x1F and 0x7F) as well as all whitespace before reading the first request-line. This behavior extends far beyond the robustness allowance described in RFC 9112 §2.2, which only permits ignoring empty CRLF sequences. The overbroad skipping is implemented in HttpObjectDecoder.java lines 1298–1313 via the ISO_CONTROL_OR_WHITESPACE static initializer and the SKIP_CONTROL_CHARS_BYTES byte processor. Versions prior to 4.1.135.Final and 4.2.15.Final are affected [1].

Exploitation

An attacker with network access to a vulnerable Netty-based HTTP server can send one or more NUL (0x00), SOH (0x01), STX (0x02), BEL (0x07), DEL (0x7F), or any other non-CRLF control character as prefix bytes before the HTTP request-line. Because the decoder silently absorbs these bytes while a front-end proxy or load-balancer may treat them differently, an attacker can induce a mismatch in how request boundaries are interpreted between the front-end and Netty. This is especially dangerous in pipelined or multiplexed transport configurations [1].

Impact

Successful exploitation enables HTTP request smuggling, allowing the attacker to desynchronize request parsing across components. Depending on the architecture, this can lead to cache poisoning, security policy bypass, or hijacking of subsequent requests. The trust boundary between a front-end proxy and the Netty backend is broken, with potential integrity and availability impacts [1].

Mitigation

The issue is fixed in Netty versions 4.1.135.Final and 4.2.15.Final, released on 2026-06-12 [2][3]. Users should upgrade to these or later versions. No workarounds have been published for earlier releases.

References
  1. HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
  2. Release netty-4.1.135.Final · netty/netty
  3. Release netty-4.2.15.Final · netty/netty

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Netty/Nettyreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: < 4.1.135.Final || < 4.2.15.Final

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"HttpObjectDecoder silently skips all ISO control characters (0x00–0x1F, 0x7F) and whitespace before the request-line, going far beyond RFC 9112 §2.2's allowance to ignore only empty CRLF lines."

Attack vector

An attacker prepends non-CRLF control bytes (e.g. NUL 0x00, SOH 0x01) to an HTTP request. Netty's HttpObjectDecoder silently consumes these bytes via the ISO_CONTROL_OR_WHITESPACE skip logic [ref_id=1], while a front-end component (load balancer, TLS terminator) that does not perform the same scan sees a different message boundary. This discrepancy enables request-desync / smuggling attacks in pipelined or multiplexed transports [ref_id=1]. No authentication or special network access is required; the attacker only needs to send crafted bytes over the wire.

Affected code

HttpObjectDecoder.java in the codec-http module: the ISO_CONTROL_OR_WHITESPACE static initializer (lines 1298–1313), the SKIP_CONTROL_CHARS_BYTES ByteProcessor (lines 1307–1313), and the LineParser.skipControlChars method (lines 1275–1289) are responsible for the overly broad skip [ref_id=1].

What the fix does

Versions 4.1.135.Final and 4.2.15.Final patch the issue by restricting the pre-request-line skip to only empty CRLF lines, as RFC 9112 §2.2 permits [ref_id=1]. The ISO_CONTROL_OR_WHITESPACE table and SKIP_CONTROL_CHARS_BYTES ByteProcessor in HttpObjectDecoder.java (lines 1298–1313 and 1275–1289) previously accepted all ISO control characters and whitespace; the fix narrows this to match the RFC's scoped robustness allowance [ref_id=1]. After the patch, non-CRLF control bytes such as NUL or SOH cause a parse error instead of being silently absorbed.

Preconditions

  • networkAttacker must be able to send raw bytes to a Netty-based HTTP server
  • configA front-end component (load balancer, TLS terminator) must treat non-CRLF control bytes differently than Netty does

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.