netty-codec-http2 is vulnerable to HTTP request smuggling. The vulnerability exists through an incomplete fix in CVE-2021-21295
where the content-length
header is not properly validated if the request uses a single Http2HeaderFrame
, and with endStream
set to true.