CVE-2021-21295: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

March 9, 2021 (updated November 7, 2023)

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

References

github.com/Netflix/zuul/pull/980
github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
nvd.nist.gov/vuln/detail/CVE-2021-21295
www.debian.org/security/2021/dsa-4885

Detect and mitigate CVE-2021-21295 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →