top of page
perceptive_background_267k.jpg

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strin…

Published:

26 March 2026 at 23:00:00

Alert date:

27 March 2026 at 21:04:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Network Infrastructure

Netty, an asynchronous event-driven network application framework, contains a vulnerability in versions prior to 4.1.132.Final and 4.2.10.Final. The framework incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, which enables request smuggling attacks. This parsing flaw can allow attackers to manipulate HTTP request processing and potentially bypass security controls. The vulnerability has been addressed in the latest versions 4.1.132.Final and 4.2.10.Final with proper parsing fixes.

Technical details

Mitigation steps:

Affected products:

Netty

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33870
https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8
https://w4ke.info/2025/06/18/funky-chunks.html
https://w4ke.info/2025/10/29/funky-chunks-2.html
https://www.rfc-editor.org/rfc/rfc9110

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page