CVE-2021-21409

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21409
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21409
Aliases
Downstream
Related
Published
2021-03-30T15:15:14Z
Modified
2025-10-15T12:26:37.411269Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432

Affected versions

netty-4.*

netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.7.Final
netty-4.1.8.Final
netty-4.1.9.Final

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "target": {
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        },
        "deprecated": false,
        "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "13838573216768640385759793565529255181",
                "64590118773695994096416701453684169693",
                "40366867890308275733641722075111913202",
                "99442970543979916107411405808344167983",
                "198242231044819727702710407131067821833",
                "225394451863276396159374637437669084843",
                "301911554181015496237786310350552407434",
                "139803867202197457261202793786133121803",
                "110545635642286327695068815175686630525",
                "102270329366318299529951125491743550036",
                "96141737589129960175616447517902386799"
            ]
        },
        "id": "CVE-2021-21409-2dd43cd2",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "onHeadersRead",
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        },
        "deprecated": false,
        "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
        "digest": {
            "function_hash": "248404261420512246011971280766729204064",
            "length": 2300.0
        },
        "id": "CVE-2021-21409-50ee60f4",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"
        },
        "deprecated": false,
        "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "198474550372756316732781608140999075472",
                "222075586400587720623712958327292286488",
                "2476563565448013713485613998268497641",
                "284125967723317361815743930750478417322",
                "123032726700344086474560707545944672027",
                "321810393895313652773431334759360777572",
                "339270693203750699307445382171447256840",
                "157960450431527514498381399403836862564"
            ]
        },
        "id": "CVE-2021-21409-c44b07e9",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "headerMultipleContentLengthValidationShouldPropagate",
            "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"
        },
        "deprecated": false,
        "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
        "digest": {
            "function_hash": "241598310014639263931222477268701821567",
            "length": 424.0
        },
        "id": "CVE-2021-21409-fc46fd41",
        "signature_version": "v1"
    }
]