CVE-2026-33870

HIGH 7.5

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

9th

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

CWE	CWE-444
Vendor	netty
Product	netty
Published	Mar 27, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for netty netty

Be the first to know when new high vulnerabilities affecting netty netty are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

netty / netty

< 4.1.132.Final >= 4.2.0.Alpha1, < 4.2.10.Final

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8 w4ke.info: https://w4ke.info/2025/06/18/funky-chunks.html w4ke.info: https://w4ke.info/2025/10/29/funky-chunks-2.html rfc-editor.org: https://www.rfc-editor.org/rfc/rfc9110