Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-20444

CVE-2019-20444:
HTTP Request Smuggling in Netty

9.1

CVSS Score

Basic Information

CVE ID
CVE-2019-20444
GHSA ID
GHSA-cqqj-4p63-rrmm
EPSS Score
-
CWE
CWE-444
Published
2/21/2020
Updated
8/16/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.netty:netty-codec-httpmaven>= 4.0.0, < 4.1.444.1.44
org.jboss.netty:nettymaven< 4.0.0
io.netty:nettymaven< 4.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper header parsing in HttpObjectDecoder. The GitHub patch (PR #9871) specifically modifies the splitHeader method to add a check for missing colons, which was the root cause. The test case added in HttpRequestDecoderTest validates this scenario by sending a header without a colon, confirming the function's vulnerability prior to the fix. The CVE description and commit diff directly implicate this function as the source of improper header handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ttpO*j**t***o**r.j*v* in N*tty ***or* *.*.** *llows *n *TTP *****r t**t l**ks * *olon, w*i** mi**t ** int*rpr*t** *s * s*p*r*t* *****r wit* *n in*orr**t synt*x, or mi**t ** int*rpr*t** *s *n "inv*li* *ol*."

Reasoning

T** vuln*r**ility st*ms *rom improp*r *****r p*rsin* in *ttpO*j**t***o**r. T** *it*u* p*t** (PR #****) sp**i*i**lly mo*i*i*s t** split*****r m*t*o* to *** * ****k *or missin* *olons, w*i** w*s t** root **us*. T** t*st **s* ***** in *ttpR*qu*st***o**r