CVE-2026-42578
HIGHNetty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Title source: cnaDescription
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-113
Status
published
Products (5)
io.netty/netty-handler-proxy
0 - 4.1.133.FinalMaven
io.netty/netty-handler-proxy
4.2.0.Alpha1 - 4.2.13.FinalMaven
netty/netty
< 4.1.133
netty/netty
< 4.1.133.Final
netty/netty
>= 4.2.0.Alpha1, < 4.2.13.Final
Published
May 13, 2026
Tracked Since
May 14, 2026