Netty HTTP Request Smuggling Vulnerability Due to Improper Transfer-Encoding Parsing

A request smuggling vulnerability has been identified in Netty versions through 4.2.12.Final and 4.1.132.Final. The issue arises because Netty incorrectly processes malformed 'Transfer-Encoding' headers, particularly when 'chunked' and 'identity' are combined. This misinterpretation allows an attacker to inject and smuggle additional HTTP requests. The vulnerability can be exploited if Netty is behind a proxy that forwards such malformed requests without proper validation.

Impact

Exploitation of this vulnerability allows for HTTP request smuggling, where an attacker can inject arbitrary HTTP requests that may be processed differently by the server or a downstream component.

Reproduction

The vulnerability can be reproduced by sending a POST request with a malformed 'Transfer-Encoding' header that includes both 'chunked' and 'identity', along with a 'Content-Length' header. Netty will incorrectly parse this request as chunked, allowing a second request to be smuggled inside the body of the first request.

Remediation

Users should upgrade to Netty versions 4.2.13.Final or 4.1.133.Final.