CVE-2019-16869 - HTTP Request Smuggling in Netty
CVE-2019-16869 + HTTP Request Smuggling in Netty + High + 2019-10-11
One-sentence business risk
The vulnerable component sits in a commonly deployed application path and can create a material breach, outage, or compliance risk.
Research notes
- Root cause: Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a “Transfer-Encoding : chunked” line), which leads to HTTP request smuggling.
- Affected versions: maven:io.netty:netty-all >= 4.0.0.Beta1, < 4.1.42.Final; maven:org.jboss.netty:netty <= 3.2.9.Final; maven:io.netty:netty >= 3.3.0.Final, <= 4.0.0.Alpha8.
- Fixed / safe versions: 4.1.42.Final.
- Public exploit / PoC signal: the consulted NVD/GHSA/vendor sources describe the trigger class; treat it as reproducible until patched.
- CVSS: use upstream advisory score .
Exact vulnerable code pattern
forward_http2_request_without_body_length_state_validation(request)
Fixed / mitigated code pattern
reject ambiguous content-length/end-stream/body combinations before proxying
Dependency or runtime update:
mvn -q dependency:tree | grep -i netty || true
# update Maven/Gradle coordinates to 4.1.42.Final
Step-by-step integration guide
- Inventory
io.netty:nettyacross source, lockfiles, SBOMs, container images, CI images, and deployment manifests. - Upgrade to
4.1.42.Finalor apply the exact vendor patch referenced below. - Replace the vulnerable
request-smugglingpattern with the fixed pattern and fail closed on malformed input. - Add a regression test that exercises the advisory trigger and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor security logs and resource metrics, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path while the package/runtime update rolls out.
- Add WAF or reverse-proxy rules for traversal tokens, prototype-polluting keys, oversized frames, shell metacharacters, or unauthenticated tool calls matching the trigger class.
- Restrict internal egress, rotate exposed secrets, and revoke affected tokens/keys if the vulnerability can disclose config, logs, JWT secrets, proxy credentials, or PKI material.
- For admin/API authorization issues, temporarily require elevated roles and explicit ownership checks at the gateway.
Detection signature
id: cve-2019-16869-http-request-smuggling-in-netty
source: GitHub Advisory Database
dependency_or_product: "io.netty:netty"
affected: "maven:io.netty:netty-all >= 4.0.0.Beta1, < 4.1.42.Final; maven:org.jboss.netty:netty <= 3.2.9.Final; maven:io.netty:netty >= 3.3.0.Final, <= 4.0.0.Alpha8"
fixed: "4.1.42.Final"
signals:
- "request-smuggling"
- "../"
- "__proto__"
- "tools/call"
- "wp_ajax_nopriv"
- "pickle.loads"
- "shell command construction"
action: "upgrade, add regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2019-16869 (HTTP Request Smuggling in Netty) in this repository.
Find every affected dependency, runtime, image, service configuration, and reachable code path. Upgrade or patch to 4.1.42.Final. Replace the vulnerable request-smuggling pattern with a fail-closed implementation, add a regression test for the trigger shape, and update deployment/SBOM artifacts. If this repository does not control the affected runtime, create TRIAGE.md naming the owner, affected version, fixed version, and blocking decision.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2019-16869,request-smuggling,io.netty:netty,GitHub Advisory Database. - Affected tech stack:
java/maven. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.
References
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:3901
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0445
- https://github.com/advisories/GHSA-p979-4mfw-53vg
- https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final
- https://github.com/netty/netty/issues/9571
- https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@<dev.zookeeper.apache.org>
- https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@<commits.zookeeper.apache.org>
- https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@<dev.zookeeper.apache.org>
- https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@<dev.drill.apache.org>
- https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@<commits.druid.apache.org>
- https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@<dev.drill.apache.org>
- https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@<dev.zookeeper.apache.org>
- https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@<commits.zookeeper.apache.org>
- https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@<commits.zookeeper.apache.org>
- https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@<issues.zookeeper.apache.org>
- https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@<dev.olingo.apache.org>
- https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@<commits.tinkerpop.apache.org>
- https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@<dev.zookeeper.apache.org>
- https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@<issues.spark.apache.org>
- https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@<issues.drill.apache.org>
- https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@<commits.camel.apache.org>
- https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@<commits.pulsar.apache.org>
- https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@<dev.rocketmq.apache.org>
- https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@<commits.pulsar.apache.org>
- https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@<common-commits.hadoop.apache.org>
- https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@<issues.flink.apache.org>
- https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@<dev.rocketmq.apache.org>
- https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@<commits.cassandra.apache.org>
- https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@<common-commits.hadoop.apache.org>
- https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@<dev.rocketmq.apache.org>
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@<commits.pulsar.apache.org>
- https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@<commits.pulsar.apache.org>
- https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@<common-commits.hadoop.apache.org>
- https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@<commits.druid.apache.org>
- https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@<common-issues.hadoop.apache.org>
- https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@<dev.flink.apache.org>
- https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-16869
- https://seclists.org/bugtraq/2020/Jan/6
- https://usn.ubuntu.com/4532-1
- https://www.debian.org/security/2020/dsa-4597