CVE-2019-16869

HIGHScheduled

Published:Sep 26, 2019(6 years ago)

Modified:Jul 7, 2025

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
netty	netty	4.1.42	-
debian	debian_linux	-	-
debian	debian_linux	-

Timeline

Published
CVE disclosed publicly
Sep 26, 20196 years ago
Last Modified
Most recent update
Jul 7, 202510 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

161

https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory

CVSS Score

v3.1

7.5/ 10.0

HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

At a Glance

Affected Products

161

References

netty / netty

https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory

https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1....Patch

https://github.com/netty/netty/issues/9571Exploit

https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/C...

https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d...

https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669...

https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4...

https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688...

https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12eb...

https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334...

https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a8...

https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c...

https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f1...

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a...

https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc...

https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe18...

https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b...

https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac2...

https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f1...

https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95...

https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef...

https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b0...

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8dae...

https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6...

https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee5...

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca6680...

https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5e...

https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587f...

https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca...

https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609...

https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525...

https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63bee...

https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684...

https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde8...

https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50...

https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68c...

https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d080...

https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d74...

https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203...

https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b23...

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609...

https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e8...

https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c...

https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b99...

https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac...

https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4...

https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c04...

https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68...

https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575a...

https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d...

https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28...

https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339...

https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f...

https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274...

https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb7...

https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d...

https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760...

https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274...

https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e...

https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795...

https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5...

https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb258...

https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3...

https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e...

https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bd...

https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc8...

https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686ff...

https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8...

https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5...

https://lists.debian.org/debian-lts-announce/2019/09/msg00035.htmlMailing List

https://lists.debian.org/debian-lts-announce/2020/02/msg00018.htmlMailing List

https://lists.debian.org/debian-lts-announce/2020/09/msg00004.htmlMailing List

https://seclists.org/bugtraq/2020/Jan/6Issue Tracking

https://usn.ubuntu.com/4532-1/Third Party Advisory

https://www.debian.org/security/2020/dsa-4597Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory