Netty HTTP Request Smuggling Vulnerability via Lenient Chunk Extension Parsing

A request smuggling vulnerability has been identified in Netty versions 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final. The issue arises from Netty's improper handling of chunk extensions in HTTP/1.1 messages using chunked transfer encoding. Specifically, Netty incorrectly accepts standalone newline characters (LF) as valid chunk-size line terminators, disregarding the required preceding carriage return (CR). This leniency violates HTTP/1.1 standards, which mandate a CRLF sequence to terminate chunk extensions. When exploited, this vulnerability allows attackers to craft requests that are misinterpreted by Netty, enabling request smuggling attacks, especially when combined with reverse proxies that parse line terminators differently.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, allowing attackers to bypass front-end access controls and manipulate responses served to other users.

Reproduction

To reproduce this vulnerability, send an HTTP/1.1 request with the 'Transfer-Encoding: chunked' header. Include a chunk extension that violates the RFC 9112 specification by omitting the required carriage return before a newline. Netty will process this request incorrectly, creating a parsing discrepancy that can be exploited.

Remediation

This vulnerability has been fixed in Netty versions 4.1.125.Final and 4.2.5.Final.