Bug 2477226 (CVE-2026-42578)

Summary: CVE-2026-42578 netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, anthomas, ant, aschwart, asoldano, aszczucz, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, ccranfor, cescoffi, chfoley, cmah, dandread, dbruscin, dhanak, dkreling, dlofthou, drichtar, drosa, dsimansk, eaguilar, ebaron, ehelms, ewittman, fmariani, fmongiar, ggainey, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jkoehler, jmartisk, jnethert, jolong, jpechane, jrokos, juwatts, jwon, kaycoth, kingland, kvanderr, kverlaen, lphiri, lthon, manderse, mcarlett, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rexwhite, rgodfrey, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tcunning, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2482668    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-13 19:02:23 UTC 
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.