CVE-2021-21409
Possible request smuggling in HTTP/2 due missing validation of content-length
Description
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
How to fix CVE-2021-21409
To remediate CVE-2021-21409, upgrade the affected package to a fixed version below.
- —upgrade to 1:4.1.48-4 or later
- —no fix listed
- —upgrade to 4.1.61.Final or later
- —no fix listed
Is CVE-2021-21409 being exploited?
Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1:4.1.48-4
- from 0
- >= 4.0.0, < 4.1.61.Final
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |