Netty HTTP Request Smuggling Vulnerability via Improper Chunked Transfer Encoding Parsing

A request smuggling vulnerability has been identified in Netty versions through 4.1.131.Final and 4.2.10.Final. The issue arises because Netty incorrectly handles quoted strings in HTTP/1.1 chunked transfer encoding extension values. This parsing error allows attackers to manipulate how requests are interpreted by the server, potentially smuggling malicious requests past front-end proxies or load balancers. The vulnerability exploits a common leniency in HTTP parsing, where illegal characters are allowed in chunk extensions, creating a discrepancy that can be exploited to bypass security controls or interfere with normal application behavior.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, where an attacker can inject and manipulate requests that are processed by the server but not seen by the front-end. This can bypass security controls, poison cache systems, and hijack user sessions by stealing responses intended for other users.

Reproduction

To reproduce this vulnerability, send an HTTP request with 'Transfer-Encoding: chunked' and include a chunk extension that violates the RFC by introducing a newline character. Netty will misinterpret the chunk extension, allowing a second request to be pipelined and processed by the server as if it were part of the chunked body.

Remediation

Users can upgrade to Netty versions 4.2.12.Final or 4.1.132.Final, both of which address this vulnerability.