Source: netty X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for netty. CVE-2026-41417[0]: | Netty allows request-line validation to be bypassed when a | `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first | and its URI is later changed via `setUri()`. The constructors reject | CRLF and whitespace characters that would break the start-line, but | `setUri()` does not apply the same validation. `HttpRequestEncoder` | and `RtspEncoder` then write the URI into the request line verbatim. | If attacker-controlled input reaches `setUri()`, this enables CRLF | injection and insertion of additional HTTP or RTSP requests, leading | to HTTP request smuggling or desynchronization on the HTTP side and | request injection on the RTSP side. This issue is fixed in versions | 4.2.13.Final and 4.1.133.Final. https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41417 https://www.cve.org/CVERecord?id=CVE-2026-41417 Please adjust the affected versions in the BTS as needed.
