CVE-2026-41417— Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41417
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Netty 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.2.13.Final之前版本和4.1.133.Final之前版本存在注入漏洞,该漏洞源于setUri方法未对CRLF和空白字符进行验证,可能导致CRLF注入和HTTP请求夹带或RTSP请求注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41417
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41417
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-33871
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Fram - CVE-2026-33870
Netty: HTTP Request Smuggling via Chunked Extension Quoted-S - CVE-2025-67735
Netty has a CRLF Injection vulnerability in io.netty.handler - CVE-2025-59419
Netty netty-codec-smtp SMTP Command Injection Vulnerability - CVE-2025-58057
Netty's BrotliDecoder is vulnerable to DoS via zip bomb styl
Same vendor: netty
- CVE-2026-33871
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Fram - CVE-2026-33870
Netty: HTTP Request Smuggling via Chunked Extension Quoted-S - CVE-2025-67735
Netty has a CRLF Injection vulnerability in io.netty.handler - CVE-2025-59419
Netty netty-codec-smtp SMTP Command Injection Vulnerability - CVE-2025-58057
Netty's BrotliDecoder is vulnerable to DoS via zip bomb styl
Same weakness: CWE-93
- CVE-2026-42257
net-imap: Command Injection via "raw" arguments to multiple - CVE-2026-41570
PHPUnit: Argument injection via newline in PHP INI values fo - CVE-2026-39849
Pi-hole FTL remote code execution via newline injection in d - CVE-2026-34458
Sandboxie-Plus privilege escalation via INI CRLF injection b - CVE-2026-5140
Authorization Bypass in TUBITAK BILGEM's Pardus Update
V. Comments for CVE-2026-41417
No comments yet