io.netty:netty-codec-http
Maven12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting io.netty:netty-codec-httppage 1 of 1
- CVE-2019-20444CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.1.442020-01-29
vulnerable: 4.0.0.Alpha1 ... 4.1.9.Final (137 versions)
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
- CVE-2021-21290MEDIUMCVSS 6.2EG 6.2✓ Fixed in 4.1.59.Final2021-02-08
vulnerable: 4.0.0.Final ... 4.1.9.Final (132 versions)
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like …
- CVE-2021-43797MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.71.Final2021-12-09
vulnerable: 4.0.0.Final ... 4.1.9.Final (144 versions)
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beg…
- CVE-2022-24823MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.1.77.Final2022-05-06
vulnerable: 4.0.0.Alpha1 ... 4.1.9.Final (170 versions)
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are us…
- CVE-2022-41915MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.86.Final2022-12-13
vulnerable: 4.1.83.Final, 4.1.84.Final, 4.1.85.Final
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not pe…
- CVE-2024-29025MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.1.108.Final2024-03-25
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (201 versions)
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can st…
- CVE-2026-41417MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.2.13.Final2026-05-06
vulnerable: 4.2.0.Alpha1 ... 4.2.9.Final (23 versions)
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would bre…
- CVE-2026-42580MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (226 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Fina…
- CVE-2026-42581MEDIUMCVSS 5.8EG 5.8✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (226 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-…
- CVE-2026-42584HIGHCVSS 7.3EG 7.3✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (226 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If th…
- CVE-2026-42585MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (226 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.…
- CVE-2026-42587HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.0.0.Alpha1 ... 4.1.99.Final (226 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb atta…
Check whether io.netty:netty-codec-http is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for io.netty:netty-codec-http CVEs against the assets you own.
Start Free Scan →