Network Application Framework Vulnerability in Netty Affecting Multiple Versions
CVE-2026-50020
What is CVE-2026-50020?
Netty, a popular network application framework, has a vulnerability in its HttpObjectDecoder. Before versions 4.1.135.Final and 4.2.15.Final, this component inadequately handled certain control characters by skipping bytes that are deemed ISO control characters (0x00-0x1F and 0x7F), alongside all whitespace. This behavior exceeds the specifications outlined in RFC 9112 §2.2, which only requires servers to ignore empty CRLF lines preceding the request-line. The failure to address other non-CRLF control characters can lead to request-boundary confusion in environments that employ pipelined or multiplexed transports. The vulnerability can potentially be exploited when front-end components interpret these control characters differently, creating a substantial risk to data integrity and communication protocols.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
