CVE-2021-21295

Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.60.Final there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field
is not validated by Http2MultiplexHandler as it is propagated up. This is
fine as long as the request is not proxied through as HTTP/1.1. If the
request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1
domain objects (HttpRequest, HttpContent, etc.) via
Http2StreamFrameToHttpObjectCodec and then sent up to the child channel’s
pipeline and proxied through a remote peer as HTTP/1.1 this may result in
request smuggling. In a proxy case, users may assume the content-length is
validated somehow, which is not the case. If the request is forwarded to a
backend channel that is a HTTP/1.1 connection, the Content-Length now has
meaning and needs to be checked. An attacker can smuggle requests inside
the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example
attack refer to the linked GitHub Advisory. Users are only affected if all
of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used,
Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects,
and these HTTP/1.1 objects are forwarded to another remote peer. This has
been patched in 4.1.60.Final As a workaround, the user can do the
validation by themselves by implementing a custom ChannelInboundHandler
that is put in the ChannelPipeline behind
Http2StreamFrameToHttpObjectCodec.