{"vulnerability": "CVE-2026-50020", "sightings": [{"uuid": "a12a9ffa-302d-4104-a447-78dce7700c8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-50020", "type": "seen", "source": "https://gist.github.com/alon710/8b8701e874abebd14b3f406541fda6b0", "content": "# CVE-2026-50020: CVE-2026-50020: HTTP Request Smuggling in Netty HttpObjectDecoder via Arbitrary Leading Control Bytes\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-50020\n\n## Summary\nCVE-2026-50020 is a medium-severity HTTP Request Smuggling/Response Smuggling vulnerability (CWE-444) within the Netty asynchronous network application framework. The flaw resides in Netty's HTTP codec implementation, specifically the HttpObjectDecoder class, which silently consumes arbitrary ISO control bytes preceding the first request line.\n\n## TL;DR\nNetty's HTTP decoder silently skips leading non-CRLF control characters (like SOH or NUL), allowing attackers to smuggle HTTP requests through reverse proxies.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-444\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **EPSS Score**: 0.00232 (0.23%)\n- **EPSS Percentile**: 13.85%\n- **Exploit Status**: Proof of Concept (PoC)\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- io.netty:netty-codec-http\n- **netty-codec-http**: >= 4.1.0, < 4.1.135.Final (Fixed in: `4.1.135.Final`)\n- **netty-codec-http**: >= 4.2.0, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade Netty to version 4.1.135.Final, 4.2.15.Final, or later.\n- Disable HTTP pipelining and connection keep-alive on backends to prevent socket reuse.\n- Enable HTTP/2 on backend connections to isolate distinct requests structurally.\n\n**Remediation Steps:**\n1. Review all Maven and Gradle dependency hierarchies for transitive Netty dependencies.\n2. Apply dependency management overrides in build files to force io.netty:netty-codec-http to 4.1.135.Final or 4.2.15.Final.\n3. Configure reverse proxies (e.g. NGINX, HAProxy) to block non-printable control characters in incoming HTTP bodies.\n\n## References\n\n- [GitHub Security Advisory GHSA-hvcg-qmg6-jm4c](https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c)\n- [CVE Record on CVE-2026-50020](https://www.cve.org/CVERecord?id=CVE-2026-50020)\n- [NVD Vulnerability Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-50020)\n- [Wiz Vulnerability Database](https://www.wiz.io/vulnerability-database/cve/cve-2026-50020)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-50020) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T22:41:28.000000Z"}]}