CVE-2021-21409

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21409
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21409
Aliases
Downstream
Related
Published
2021-03-30T15:15:14Z
Modified
2025-10-08T04:19:57.207741Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432

Affected versions

netty-4.*

netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.7.Final
netty-4.1.8.Final
netty-4.1.9.Final

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "13838573216768640385759793565529255181",
                    "64590118773695994096416701453684169693",
                    "40366867890308275733641722075111913202",
                    "99442970543979916107411405808344167983",
                    "198242231044819727702710407131067821833",
                    "225394451863276396159374637437669084843",
                    "301911554181015496237786310350552407434",
                    "139803867202197457261202793786133121803",
                    "110545635642286327695068815175686630525",
                    "102270329366318299529951125491743550036",
                    "96141737589129960175616447517902386799"
                ]
            },
            "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
            "deprecated": false,
            "target": {
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
            },
            "signature_type": "Line",
            "id": "CVE-2021-21409-2dd43cd2"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 2300.0,
                "function_hash": "248404261420512246011971280766729204064"
            },
            "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
            "deprecated": false,
            "target": {
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java",
                "function": "onHeadersRead"
            },
            "signature_type": "Function",
            "id": "CVE-2021-21409-50ee60f4"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "198474550372756316732781608140999075472",
                    "222075586400587720623712958327292286488",
                    "2476563565448013713485613998268497641",
                    "284125967723317361815743930750478417322",
                    "123032726700344086474560707545944672027",
                    "321810393895313652773431334759360777572",
                    "339270693203750699307445382171447256840",
                    "157960450431527514498381399403836862564"
                ]
            },
            "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
            "deprecated": false,
            "target": {
                "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"
            },
            "signature_type": "Line",
            "id": "CVE-2021-21409-c44b07e9"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 424.0,
                "function_hash": "241598310014639263931222477268701821567"
            },
            "source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
            "deprecated": false,
            "target": {
                "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java",
                "function": "headerMultipleContentLengthValidationShouldPropagate"
            },
            "signature_type": "Function",
            "id": "CVE-2021-21409-fc46fd41"
        }
    ]
}