Netty HttpObjectDecoder Request Smuggling Vulnerability via Content-Length and Transfer-Encoding Header Conflict

A request smuggling vulnerability has been identified in Netty's HttpObjectDecoder component of the http codec, affecting versions through 4.2.12.Final and 4.1.132.Final. The issue arises in HTTP/1.0 requests that include both a Content-Length header and Transfer-Encoding: chunked. In these cases, Netty improperly decodes the body as chunked while retaining the Content-Length header in the forwarded HttpMessage. This misalignment can disrupt message boundaries when processed by downstream proxies or handlers that prioritize Content-Length over Transfer-Encoding, facilitating request smuggling attacks.

Impact

Exploitation of this vulnerability leads to request smuggling at the Netty edge, allowing attackers to poison caches, fixate sessions against other users, gain unauthorized access to internal endpoints, and bypass web application firewalls or authentication layers that only inspect the initial logical request.

Reproduction

The vulnerability can be reproduced by sending an HTTP/1.0 request with both a Transfer-Encoding: chunked header and a Content-Length header. Netty will decode the body as chunked while leaving the Content-Length header intact in the forwarded HttpMessage. This can be verified using an EmbeddedChannel test that demonstrates the Content-Length header surviving the decoding process, contrary to the expected behavior in HTTP/1.1 requests where the header is stripped.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final, where this vulnerability has been fixed.