Lucene search
+L

11 matches found

redhat
redhat
added 2026/07/09 3:29 p.m.5 views

netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected...

7.5CVSS6.9AI score0.00952EPSS
Exploits1References5
susecve
susecve
added 2026/05/15 1:58 a.m.13 views

SUSE CVE-2026-42578

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

7.5CVSS5.9AI score0.00952EPSS
Exploits1References4
nvd
nvd
added 2026/05/13 7:17 p.m.26 views

CVE-2026-42578

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

7.5CVSS0.00952EPSS
Exploits1References10
cve
cve
added 2026/05/13 5:57 p.m.56 views

CVE-2026-42578

Netty CVE-2026-42578 affects HttpProxyHandler prior to 4.2.13.Final and 4.1.133.Final. The issue arises because HttpProxyHandler builds CONNECT requests with header validation disabled (newInitialMessage uses DefaultHttpHeadersFactory.headersFactory().withValidation(false) and then appends user-p...

7.5CVSS5.9AI score0.00952EPSS
Exploits1References10Affected Software1
osv
osv
added 2026/05/13 5:57 p.m.2 views

CVE-2026-42578 Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

6.3CVSS6AI score0.00952EPSS
Exploits1References12
debiancve
debiancve
added 2026/05/13 5:57 p.m.20 views

CVE-2026-42578

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

7.5CVSS5.9AI score0.00952EPSS
Exploits1
veracode
veracode
added 2026/05/09 5:6 a.m.12 views

HTTP Header Injection

io.netty, netty-handler-proxy is vulnerable to HTTP Header Injection. The vulnerability is due to improper validation of user-supplied outbound headers in the HttpProxyHandler CONNECT request construction, which allows an attacker to inject arbitrary HTTP headers into requests sent to the proxy...

7.5CVSS7AI score0.00952EPSS
Exploits1References13Affected Software1
snyk
snyk
added 2026/05/07 12:11 a.m.21 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the newInitialMessage function of HttpProxyHandler when header validation is explicitly disabled and user-influenced outboundHeaders are added without sanitization. An attacker can inject arbitrary HTTP headers into...

7.5CVSS6.9AI score0.00952EPSS
Exploits2References2
osv
osv
added 2024/01/24 8:20 p.m.54 views

GHSA-9F9P-CP3C-72JF Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client

Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...

6.8CVSS8.2AI score0.00632EPSS
Exploits0References7
github
github
added 2024/01/24 8:20 p.m.27 views

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client

Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...

8.1CVSS6.8AI score0.00632EPSS
Exploits0References7Affected Software2
github
github
added 2023/06/07 4:1 p.m.29 views

SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

NIOHTTP1 and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious...

7.5CVSS7.1AI score0.00556EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder