CVE-2026-33870

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

INFO

Published Date :

2026-03-27T19:54:15.586Z

Last Modified :

2026-03-31T13:55:47.863Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33870 vulnerability.

Vendors	Products
Netty	Netty

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33870.

URL	Resource
https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8
https://nvd.nist.gov/vuln/detail/CVE-2026-33870
https://w4ke.info/2025/06/18/funky-chunks.html
https://w4ke.info/2025/10/29/funky-chunks-2.html
https://www.cve.org/CVERecord?id=CVE-2026-33870
https://www.rfc-editor.org/rfc/rfc9110

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact