CVE Catalog

CVE-2026-50020

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

In versions prior to 4.1.135.Final and 4.2.15.Final, `HttpObjectDecoder` in the Netty framework skipped control bytes and whitespace before reading the first request line. This can lead to request-boundary confusion in complex transports, creating a risk of attacks.

Risk Assessment

Organizations may be exposed to attacks related to improper request processing, potentially leading to unauthorized access or data manipulation.

Recommendation

It is recommended to upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this vulnerability.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS