Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42578

CVE-2026-42578: Netty HTTP Header Injection Vulnerability

CVE-2026-42578 is an HTTP header injection flaw in Netty's HttpProxyHandler that allows attackers to inject arbitrary headers into CONNECT requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42578 Overview

CVE-2026-42578 is a header injection vulnerability in Netty, an asynchronous, event-driven network application framework widely used in Java applications. The flaw exists in HttpProxyHandler, which constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then appends user-supplied outboundHeaders without CRLF validation. An attacker who can influence outbound headers can inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. The issue maps to [CWE-113] HTTP Response Splitting and affects Netty versions prior to 4.2.13.Final and 4.1.133.Final.

Critical Impact

Attackers who control proxy outbound headers can inject arbitrary HTTP headers into CONNECT requests, enabling request smuggling or proxy manipulation under specific deployment conditions.

Affected Products

  • Netty versions prior to 4.2.13.Final
  • Netty versions prior to 4.1.133.Final
  • Applications using HttpProxyHandler with attacker-influenced outbound headers

Discovery Timeline

  • 2026-05-13 - CVE-2026-42578 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42578

Vulnerability Analysis

The vulnerability resides in Netty's HttpProxyHandler, the component responsible for tunneling traffic through an HTTP proxy via the CONNECT method. When the handler builds the initial CONNECT request, it instantiates an HttpHeaders object with validation disabled. Validation is the safeguard that rejects header names and values containing carriage return or line feed characters.

Without this check, any caller-supplied header passed through outboundHeaders is written verbatim into the wire-level HTTP message. An attacker who influences a header value can embed \r\n sequences to terminate the current header line and append additional headers, or even a second HTTP request, to the CONNECT payload sent upstream.

Root Cause

The root cause is the explicit use of DefaultHttpHeadersFactory.headersFactory().withValidation(false) inside newInitialMessage(). This bypasses Netty's built-in CRLF defenses for header content. Combined with the absence of any compensating sanitization on outboundHeaders, attacker-controlled data flows directly into the serialized HTTP request.

Attack Vector

Exploitation requires the attacker to control or influence the value of a header passed to HttpProxyHandler. The injection occurs over the network channel between the Netty client and the upstream proxy. A successful injection can introduce spoofed headers such as Host, Authorization, or smuggled request lines, depending on how the proxy parses the malformed CONNECT request. No verified proof-of-concept exploit code is publicly available. See the GitHub Security Advisory for technical details.

Detection Methods for CVE-2026-42578

Indicators of Compromise

  • CONNECT requests in proxy access logs containing unexpected secondary headers or duplicate Host entries
  • Proxy log entries showing malformed CRLF sequences within header values for upstream tunnels
  • Anomalous HTTP request volume from Java services that route through HttpProxyHandler

Detection Strategies

  • Inspect dependency manifests (Maven, Gradle) for io.netty:netty-codec-http versions below 4.2.13.Final or 4.1.133.Final
  • Apply static analysis rules to flag invocations of HttpProxyHandler constructors that accept user-supplied header maps
  • Enable proxy-side strict header parsing to log or reject CONNECT requests containing embedded CRLF

Monitoring Recommendations

  • Forward proxy and application logs to a centralized analytics platform for correlation of malformed CONNECT requests
  • Alert on header values that exceed normal length or contain non-printable characters before they reach the proxy
  • Track outbound HTTP traffic patterns from Netty-based services for unusual upstream targets following deployments

How to Mitigate CVE-2026-42578

Immediate Actions Required

  • Upgrade Netty to 4.2.13.Final or 4.1.133.Final in all affected services and rebuild dependent artifacts
  • Audit all code paths that pass user-controlled data into HttpProxyHandler outbound headers
  • Restrict proxy configuration so that only trusted internal components can supply outbound header values

Patch Information

The vulnerability is fixed in Netty 4.2.13.Final and 4.1.133.Final. The patches restore header validation in the CONNECT request construction path. Refer to the Netty GHSA-45q3-82m4-75jr advisory for release notes and remediation details.

Workarounds

  • Sanitize all header values for \r and \n characters before passing them to HttpProxyHandler
  • Reject or strip user-supplied input from any header map forwarded to the proxy handler until upgrade is possible
  • Place an intermediate HTTP-aware proxy that enforces strict CRLF rejection between Netty clients and upstream proxies
bash
# Maven dependency upgrade example
mvn versions:use-dep-version -Dincludes=io.netty:netty-codec-http -DdepVersion=4.1.133.Final -DforceVersion=true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.