CVE-2026-42578 (GCVE-0-2026-42578)

Vulnerability from cvelistv5 – Published: 2026-05-13 17:57 – Updated: 2026-06-30 12:08
VLAI?
Title
Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE
  • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
References
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42578",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:36:58.234828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T15:52:12.304Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:cryostat:4::el9"
            ],
            "defaultStatus": "affected",
            "product": "Cryostat 4 on RHEL 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.28::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Spaces 3.28",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quarkus:3.27::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Quarkus 3.27.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quarkus:3.33::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Quarkus 3.33.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_broker:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AMQ Broker 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_clients:2023"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AMQ Clients",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:camel_spring_boot:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apache Camel for Spring Boot 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_registry:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apicurio Registry 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:apicurio_registry:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apicurio Registry 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:debezium:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Debezium 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:optaplanner:::el6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of OptaPlanner 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Enterprise Application Platform 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Enterprise Application Platform 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Spaces",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Process Automation 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:red_hat_single_sign_on:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Single Sign-On 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_streams:3"
            ],
            "defaultStatus": "affected",
            "product": "streams for Apache Kafka 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:camel_quarkus:3"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_streams:2"
            ],
            "defaultStatus": "unaffected",
            "product": "streams for Apache Kafka 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-13T17:57:43.538Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-93",
                "description": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:08:39.226Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-42578"
          },
          {
            "name": "RHBZ#2477226",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477226"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42578.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28010"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25123"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23808"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24502"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-13T19:02:00.826Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-13T17:57:43.538Z",
            "value": "Made public."
          }
        ],
        "title": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T17:57:43.538Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
        }
      ],
      "source": {
        "advisory": "GHSA-45q3-82m4-75jr",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42578",
    "datePublished": "2026-05-13T17:57:43.538Z",
    "dateReserved": "2026-04-28T17:26:12.085Z",
    "dateUpdated": "2026-06-30T12:08:39.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-113\", \"lang\": \"en\", \"description\": \"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 2.9, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr\"}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\", \"status\": \"affected\"}, {\"version\": \"\u003c 4.1.133.Final\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T17:57:43.538Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.\"}], \"source\": {\"advisory\": \"GHSA-45q3-82m4-75jr\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42578\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T18:36:58.234828Z\"}}}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T18:36:14.074Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42578\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-28T17:26:12.085Z\", \"datePublished\": \"2026-05-13T17:57:43.538Z\", \"dateUpdated\": \"2026-06-23T15:52:12.304Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…