Miggo Logo
Miggo Vulnerability Database
CVE-2019-20445

CVE-2019-20445:
HTTP Request Smuggling in Netty

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-20445
GHSA ID
GHSA-p2v9-g2qv-p635
EPSS Score
0.62769%
CWE
CWE-444
Published
2/21/2020
Updated
8/16/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.netty:netty-handlermaven>= 4.0.0, < 4.1.454.1.45
org.jboss.netty:nettymaven< 4.0.0
io.netty:nettymaven< 4.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper header validation in HttpObjectDecoder. The CVE description and Netty's own fix (PR #9865) specifically show added validation for: 1) Duplicate Content-Length headers, and 2) Transfer-Encoding appearing with Content-Length. The decode() method would have processed these invalid combinations prior to the patch, making it the vulnerable entry point. The file path and class name are confirmed through multiple references including the GitHub commit diff and CVE analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ttpO*j**t***o**r.j*v* in N*tty ***or* *.*.** *llows * *ont*nt-L*n*t* *****r to ** ***omp*ni** *y * s**on* *ont*nt-L*n*t* *****r, or *y * Tr*ns**r-*n*o*in* *****r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *****r v*li**tion in `*ttpO*j**t***o**r`. T** *V* **s*ription *n* `N*tty`'s own *ix (PR #****) sp**i*i**lly s*ow ***** v*li**tion *or: *) *upli**t* *ont*nt-L*n*t* *****rs, *n* *) Tr*ns**r-*n*o*in* *pp**rin* wit*