CVE-2026-42578

NameCVE-2026-42578
DescriptionNetty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)bullseye1:4.1.48-4+deb11u2vulnerable
bullseye (security)1:4.1.48-4+deb11u3vulnerable
bookworm1:4.1.48-7+deb12u1vulnerable
bookworm (security)1:4.1.48-7+deb12u2vulnerable
trixie1:4.1.48-10vulnerable
trixie (security)1:4.1.48-10+deb13u1vulnerable
forky, sid1:4.1.48-16vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysource(unstable)(unfixed)

Notes

https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr
Search for package or bug name: Reporting problems