CVE-2026-33870

HIGH

CVE-2026-33870 in io.root.io.netty:netty-codec-http - Patched by Root

Details

CVSS v3: 7.5
NVD published: 2026-03-27 20:16:34
EPSS: <0.1% probability · 3.1th percentile — 2026-05-07
Affected versions: cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Summary: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Remediation: Not available in our cache.
Exploit info: https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.