CVE-2026-42578
Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
| CWE | CWE-113 |
| Vendor | netty |
| Product | netty |
| Published | May 13, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for netty netty
Be the first to know when new unknown vulnerabilities affecting netty netty are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
netty / netty
>= 4.2.0.Alpha1, < 4.2.13.Final < 4.1.133.Final