Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CVE-2021-21409
This medium-severity CVE scores 5.9 under NVD CVSS v3. EPSS exploit probability: 2.5%, top 14% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 5.9
- EG Score
- 5.9(medium)
- EPSS
- 91.1%
- KEV
- Not listed
Published
March 30, 2021
Last Modified
November 21, 2024
References (118)
- security-advisories@githubhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
- security-advisories@githubhttps://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
- security-advisories@githubhttps://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
- security-advisories@githubhttps://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
- security-advisories@githubhttps://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E
- security-advisories@githubhttps://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E
Vendor Advisories for CVE-2021-21409(5)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2022:5498Red Hat Product SecurityMedium
Red Hat Security Advisory: Satellite 6.11 Release
- RHSA-2021:5134Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat Fuse 7.10.0 release and security update
- RHSA-2021:5129Red Hat Product SecurityMedium
Red Hat Security Advisory: Openshift Logging security and bug update (5.3.1)
- RHSA-2021:5127Red Hat Product SecurityMedium
Red Hat Security Advisory: Openshift Logging security and bug update (5.2.4)
- RHSA-2021:5128Red Hat Product SecurityMedium
Red Hat Security Advisory: Openshift Logging security and bug update (5.1.5)
Patch Availability(13)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | libnetty-java (1:4.0.34-1ubuntu0.1~esm1) @ xenial | 2026-05-26 | ubuntu |
| redhat | candlepin-0:4.1.13-1.el8sat | 2022-07-05 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-65 | 2021-12-14 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-66 | 2021-12-14 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-67 | 2021-12-14 | redhat |
| redhat | netty | 2021-12-14 | redhat |
| redhat | patch | 2021-09-30 | redhat |
| redhat | eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap | 2021-09-23 | redhat |
| redhat | eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap | 2021-09-23 | redhat |
| redhat | eap7-wildfly-http-client-0:1.0.28-1.Final_redhat_00001.1.el6eap | 2021-07-13 | redhat |
| redhat | eap7-wildfly-http-client-0:1.0.28-1.Final_redhat_00001.1.el8eap | 2021-07-13 | redhat |
| redhat | eap7-wildfly-http-client-0:1.0.28-1.Final_redhat_00001.1.el7eap | 2021-07-13 | redhat |
| redhat | qpid-proton-0:0.33.0-8.el8 | 2021-05-06 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(3 across 1 ecosystem)
Maven(3)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| io.netty:netty | 3.10.0.Final ... 4.0.0.Alpha8 (71 versions) | — | — |
| io.netty:netty-codec-http2 | 4.1.0.Beta4 ... 4.1.9.Final (73 versions) | 4.1.61.Final | — |
| org.jboss.netty:netty | 3.0.0.CR1 ... 3.2.9.Final (39 versions) | — | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(17)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2021:1511MODERATE2021-03-30
RHSA-2021:1511 — Moderate
- Red HatRHSA-2021:2139MODERATE2021-03-30
RHSA-2021:2139 — Moderate
- Red HatRHSA-2021:2465MODERATE2021-03-30
RHSA-2021:2465 — Moderate
- Red HatRHSA-2021:2689MODERATE2021-03-30
RHSA-2021:2689 — Moderate
- Red HatRHSA-2021:2692MODERATE2021-03-30
RHSA-2021:2692 — Moderate
- Red HatRHSA-2021:2693MODERATE2021-03-30
RHSA-2021:2693 — Moderate
- Red HatRHSA-2021:2694MODERATE2021-03-30
RHSA-2021:2694 — Moderate
- Red HatRHSA-2021:2696MODERATE2021-03-30
RHSA-2021:2696 — Moderate
- Red HatRHSA-2021:2755MODERATE2021-03-30
RHSA-2021:2755 — Moderate
- Red HatRHSA-2021:2965MODERATE2021-03-30
RHSA-2021:2965 — Moderate
- Red HatRHSA-2021:3225MODERATE2021-03-30
RHSA-2021:3225 — Moderate
- Red HatRHSA-2021:3656MODERATE2021-03-30
RHSA-2021:3656 — Moderate
- Red HatRHSA-2021:3658MODERATE2021-03-30
RHSA-2021:3658 — Moderate
- Red HatRHSA-2021:3660MODERATE2021-03-30
RHSA-2021:3660 — Moderate
- Red HatRHSA-2021:3700MODERATE2021-03-30
RHSA-2021:3700 — Moderate
- Red HatRHSA-2021:3880MODERATE2021-03-30
RHSA-2021:3880 — Moderate
- UbuntuUSN-6049-1MEDIUM
Netty vulnerabilities
Data Freshness Timeline
(refreshed 9× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-02 16:57 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-07-01 06:18 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
Show 56 moreShow fewer
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 10:43 UTCOSV refresh
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 19:02 UTCEG score recompute
- 2026-05-26 19:02 UTCVendor advisory
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-24 16:49 UTCEPSS rescore
Frequently asked(5)
What is CVE-2021-21409?
When was CVE-2021-21409 disclosed?
Is CVE-2021-21409 actively exploited?
What is the CVSS score of CVE-2021-21409?
How do I remediate CVE-2021-21409?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-21409
Is Your Infrastructure Affected by CVE-2021-21409?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.