Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CVE-2026-42578

Low

2.9/10

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.1.133.Final and 4.2.x prior to 4.2.13.Final, Netty's "HttpProxyHandler" constructs HTTP CONNECT requests with header validation explicitly disabled. The "newInitialMessage()" method creates headers using "DefaultHttpHeadersFactory.headersFactory().withValidation(false)", then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

Advisory

Advisory Timeline

Published May 13, 2026

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CVE-2026-42578

Summary

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS