Netty HttpClientCodec Response Desynchronization Vulnerability

A vulnerability in Netty's HttpClientCodec can lead to incorrect parsing of response bodies, allowing one request's response to be misinterpreted as belonging to another request. This issue affects Netty versions prior to 4.2.13.Final and 4.1.133.Final. The vulnerability arises when HTTP/1.1 pipelining is used, and a HEAD request is sent after a GET request. If the server responds with a 103 status followed by a 200 status for the GET request, the HEAD response is incorrectly paired with the first 200 response. As a result, the HEAD response skips its body, leaving the GET response's body in the stream, causing the subsequent 200 response for HEAD to be parsed incorrectly.

Impact

This vulnerability disrupts the integrity and availability of HTTP response parsing, leading to an unsafe reuse of the network socket.

Reproduction

To reproduce this vulnerability, send a GET request followed by a HEAD request while HTTP/1.1 pipelining is enabled. Ensure the server responds with a 103 Early Hints status, followed by a 200 OK response for the GET request that includes a body, and then another 200 OK response for the HEAD request. The HEAD response will be incorrectly paired with the GET response, causing the parsing error.

Remediation

Users should upgrade to Netty versions 4.2.13.Final or 4.1.133.Final.