Network Application Framework Vulnerability in Netty Affecting Multiple Versions
CVE-2026-50020

5.3MEDIUM

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-50020?

Netty, a popular network application framework, has a vulnerability in its HttpObjectDecoder. Before versions 4.1.135.Final and 4.2.15.Final, this component inadequately handled certain control characters by skipping bytes that are deemed ISO control characters (0x00-0x1F and 0x7F), alongside all whitespace. This behavior exceeds the specifications outlined in RFC 9112 §2.2, which only requires servers to ignore empty CRLF lines preceding the request-line. The failure to address other non-CRLF control characters can lead to request-boundary confusion in environments that employ pipelined or multiplexed transports. The vulnerability can potentially be exploited when front-end components interpret these control characters differently, creating a substantial risk to data integrity and communication protocols.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.