Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

N/A

HTTP请求的解释不一致性(HTTP请求私运)

Netty 环境问题漏洞

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架，它主要用于开发Java网络应用程序，如协议服务器和客户端等。 Netty 4.1.124.Final版本和4.2.0.Alpha3至4.2.4.Final版本存在环境问题漏洞，该漏洞源于错误解析换行符，可能导致HTTP请求夹带攻击。

N/A

N/A