CVE-2026-41417

Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()

Description

Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

INFO

Published Date :

2026-05-06T20:52:47.206Z

Last Modified :

2026-05-07T13:59:59.536Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-41417 vulnerability.

Vendors	Products
Netty	Netty

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41417.

URL	Resource
https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact