CVE-2026-42578 Overview
CVE-2026-42578 is a header injection vulnerability in Netty, an asynchronous, event-driven network application framework widely used in Java applications. The flaw exists in HttpProxyHandler, which constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then appends user-supplied outboundHeaders without CRLF validation. An attacker who can influence outbound headers can inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. The issue maps to [CWE-113] HTTP Response Splitting and affects Netty versions prior to 4.2.13.Final and 4.1.133.Final.
Critical Impact
Attackers who control proxy outbound headers can inject arbitrary HTTP headers into CONNECT requests, enabling request smuggling or proxy manipulation under specific deployment conditions.
Affected Products
- Netty versions prior to 4.2.13.Final
- Netty versions prior to 4.1.133.Final
- Applications using HttpProxyHandler with attacker-influenced outbound headers
Discovery Timeline
- 2026-05-13 - CVE-2026-42578 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42578
Vulnerability Analysis
The vulnerability resides in Netty's HttpProxyHandler, the component responsible for tunneling traffic through an HTTP proxy via the CONNECT method. When the handler builds the initial CONNECT request, it instantiates an HttpHeaders object with validation disabled. Validation is the safeguard that rejects header names and values containing carriage return or line feed characters.
Without this check, any caller-supplied header passed through outboundHeaders is written verbatim into the wire-level HTTP message. An attacker who influences a header value can embed \r\n sequences to terminate the current header line and append additional headers, or even a second HTTP request, to the CONNECT payload sent upstream.
Root Cause
The root cause is the explicit use of DefaultHttpHeadersFactory.headersFactory().withValidation(false) inside newInitialMessage(). This bypasses Netty's built-in CRLF defenses for header content. Combined with the absence of any compensating sanitization on outboundHeaders, attacker-controlled data flows directly into the serialized HTTP request.
Attack Vector
Exploitation requires the attacker to control or influence the value of a header passed to HttpProxyHandler. The injection occurs over the network channel between the Netty client and the upstream proxy. A successful injection can introduce spoofed headers such as Host, Authorization, or smuggled request lines, depending on how the proxy parses the malformed CONNECT request. No verified proof-of-concept exploit code is publicly available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-42578
Indicators of Compromise
- CONNECT requests in proxy access logs containing unexpected secondary headers or duplicate Host entries
- Proxy log entries showing malformed CRLF sequences within header values for upstream tunnels
- Anomalous HTTP request volume from Java services that route through HttpProxyHandler
Detection Strategies
- Inspect dependency manifests (Maven, Gradle) for io.netty:netty-codec-http versions below 4.2.13.Final or 4.1.133.Final
- Apply static analysis rules to flag invocations of HttpProxyHandler constructors that accept user-supplied header maps
- Enable proxy-side strict header parsing to log or reject CONNECT requests containing embedded CRLF
Monitoring Recommendations
- Forward proxy and application logs to a centralized analytics platform for correlation of malformed CONNECT requests
- Alert on header values that exceed normal length or contain non-printable characters before they reach the proxy
- Track outbound HTTP traffic patterns from Netty-based services for unusual upstream targets following deployments
How to Mitigate CVE-2026-42578
Immediate Actions Required
- Upgrade Netty to 4.2.13.Final or 4.1.133.Final in all affected services and rebuild dependent artifacts
- Audit all code paths that pass user-controlled data into HttpProxyHandler outbound headers
- Restrict proxy configuration so that only trusted internal components can supply outbound header values
Patch Information
The vulnerability is fixed in Netty 4.2.13.Final and 4.1.133.Final. The patches restore header validation in the CONNECT request construction path. Refer to the Netty GHSA-45q3-82m4-75jr advisory for release notes and remediation details.
Workarounds
- Sanitize all header values for \r and \n characters before passing them to HttpProxyHandler
- Reject or strip user-supplied input from any header map forwarded to the proxy handler until upgrade is possible
- Place an intermediate HTTP-aware proxy that enforces strict CRLF rejection between Netty clients and upstream proxies
# Maven dependency upgrade example
mvn versions:use-dep-version -Dincludes=io.netty:netty-codec-http -DdepVersion=4.1.133.Final -DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
