CVE intelligence and bounded remediation

CVE-2021-21409 — Netty Netty security vulnerability

Medium CVSS 5.9

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Severity
Medium
CVSS
5.9 (3.1)
Published
2021-03-30
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-444

Affected products

  • netty / netty
  • debian / debian_linux / 10.0
  • netapp / oncommand_api_services
  • netapp / oncommand_workflow_automation
  • oracle / banking_corporate_lending_process_management / 14.2.0
  • oracle / banking_corporate_lending_process_management / 14.3.0

Showing 6 representative product identities from 28 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

HTTP request smuggling and message-boundary ambiguity

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Inventory every proxy, CDN, gateway, load balancer, service mesh, and application server hop on affected request paths.
  • Compare documented parsing and normalization behavior for message length, transfer coding, duplicate headers, and protocol translation.
  • Identify connection reuse and which downstream services trust headers added by intermediaries.

Remediate safely

  • Update affected intermediaries and origin servers and align them on a single standards-compliant request framing policy.
  • Reject ambiguous length, transfer-coding, duplicate, malformed, and unsupported framing before forwarding.
  • Normalize or remove hop-by-hop and identity headers at one controlled boundary and add multi-hop regression tests.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.