Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41417
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-06 May, 2026 | 20:52
Updated At-07 May, 2026 | 13:59
Rejected At-
▼CVE Numbering Authority (CNA)
Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()

Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

Affected Products
Vendor
The Netty Projectnetty
Product
netty
Versions
Affected
  • >= 4.2.0.Alpha1, <= 4.2.12.Final
  • <= 4.1.132.Final
Problem Types
TypeCWE IDDescription
CWECWE-93CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWECWE-444CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Type: CWE
CWE ID: CWE-93
Description: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Type: CWE
CWE ID: CWE-444
Description: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
x_refsource_CONFIRM
Hyperlink: https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
exploit
Hyperlink: https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
Resource:
exploit
Details not found