Netty HTTP Header Injection Vulnerability in HttpProxyHandler

A vulnerability exists in Netty's HttpProxyHandler component, specifically in versions through 4.2.12.Final and 4.1.132.Final. The issue arises because the HttpProxyHandler constructs HTTP CONNECT requests with header validation disabled, allowing for HTTP header injection. This vulnerability can be exploited by manipulating outbound headers, which are sent to the proxy server without proper validation. The flaw is a regression of a previously addressed CRLF injection vulnerability, now reintroduced by the same component.

Impact

Exploitation of this vulnerability allows for HTTP header injection in CONNECT proxy requests, which can lead to various issues such as bypassing proxy authentication or causing request smuggling.

Reproduction

To reproduce this vulnerability, use a Netty version prior to the patched releases. Create an HttpProxyHandler instance and provide outbound headers that include CRLF sequences. The headers will be accepted without validation, injecting the CRLF into the wire format of the HTTP CONNECT request.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final, where this vulnerability has been fixed.