{"id":"CVE-2021-43797","details":"Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.","aliases":["GHSA-wx5j-54mm-rqqq"],"modified":"2026-05-18T22:24:35.168215Z","published":"2021-12-09T19:15:07.960Z","related":["CGA-9pj8-4gmp-wp6g","SUSE-SU-2022:1271-1","SUSE-SU-2022:2047-1","openSUSE-SU-2024:11743-1","openSUSE-SU-2024:11981-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"10.0"},{"last_affected":"11.0"}],"vendor_product":"debian:debian_linux","source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"2.7"}],"vendor_product":"oracle:banking_deposits_and_lines_of_credit_servicing","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"2.7.0"}],"vendor_product":"oracle:banking_party_management","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"12.2.1.4.0"},{"last_affected":"14.1.1.0.0"}],"vendor_product":"oracle:coherence","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.11.0"}],"vendor_product":"oracle:communications_cloud_native_core_binding_support_function","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.8.0"}],"vendor_product":"oracle:communications_cloud_native_core_network_slice_selection_function","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.15.0"}],"vendor_product":"oracle:communications_cloud_native_core_policy","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.7.0"}],"vendor_product":"oracle:communications_cloud_native_core_security_edge_protection_proxy","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.15.0"}],"vendor_product":"oracle:communications_cloud_native_core_unified_data_repository","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"7.4.2"}],"vendor_product":"oracle:communications_design_studio","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"8.1"}],"vendor_product":"oracle:communications_instant_messaging_server","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"1.4.10"},{"last_affected":"2.4.0"}],"vendor_product":"oracle:helidon","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*","cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"8.58"},{"last_affected":"8.59"}],"vendor_product":"oracle:peoplesoft_enterprise_peopletools","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220107-0003/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/helidon-io/helidon","events":[{"introduced":"0"},{"last_affected":"101f1aaf0f9c993eb1da721dc0e5494627b4ce6b"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.6.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*"}}],"versions":["2.6.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43797.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"2e346c1d1d6fc58762f52fd31ee4dc5a92d3a5bd"},{"fixed":"07aa6b5938a8b6ed7a6586e066400e2643897323"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.1.71"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}],"versions":["netty-4.1.70.Final","netty-4.1.69.Final","netty-4.1.68.Final","netty-4.1.67.Final","netty-4.1.66.Final","netty-4.1.65.Final","netty-4.1.64.Final","netty-4.1.63.Final","netty-4.1.62.Final","netty-4.1.61.Final","netty-4.1.60.Final","netty-4.1.59.Final","netty-4.1.58.Final","netty-4.1.57.Final","netty-4.1.56.Final","netty-4.1.55.Final","netty-4.1.54.Final","netty-4.1.53.Final","netty-4.1.52.Final","netty-4.1.51.Final","netty-4.1.50.Final","netty-4.1.49.Final","netty-4.1.48.Final","netty-4.1.47.Final","netty-4.1.46.Final","netty-4.1.45.Final","netty-4.1.44.Final","netty-4.1.43.Final","netty-4.1.42.Final","netty-4.1.41.Final","netty-4.1.40.Final","netty-4.1.39.Final","netty-4.1.38.Final","netty-4.1.37.Final","netty-4.1.36.Final","netty-4.1.35.Final","netty-4.1.34.Final","netty-4.1.33.Final","netty-4.1.32.Final","netty-4.1.31.Final","netty-4.1.30.Final","netty-4.1.29.Final","netty-4.1.28.Final","netty-4.1.27.Final","netty-4.1.26.Final","netty-4.1.25.Final","netty-4.1.24.Final","netty-4.1.23.Final","netty-4.1.22.Final","netty-4.1.21.Final","netty-4.1.20.Final","netty-4.1.19.Final","netty-4.1.18.Final","netty-4.1.17.Final","netty-4.1.16.Final","netty-4.1.15.Final","netty-4.1.14.Final","netty-4.1.13.Final","netty-4.1.12.Final","netty-4.1.11.Final","netty-4.1.10.Final","netty-4.1.9.Final","netty-4.1.8.Final","netty-4.1.7.Final","netty-4.1.6.Final","netty-4.1.5.Final","netty-4.1.4.Final","netty-4.1.3.Final","netty-4.1.2.Final","netty-4.1.1.Final","netty-4.1.0.Final","netty-4.1.0.CR7","netty-4.1.0.CR6","netty-4.1.0.CR5","netty-4.1.0.CR4","netty-4.1.0.CR3","netty-4.1.0.CR2","netty-4.1.0.CR1","netty-4.1.0.Beta8","netty-4.1.0.Beta7","netty-4.1.0.Beta6","netty-4.1.0.Beta5","netty-4.1.0.Beta4","netty-4.1.0.Beta3","netty-4.1.0.Beta2","netty-4.1.0.Beta1","netty-4.0.15.Final","netty-4.0.14.Final","netty-4.0.14.Beta1","netty-4.0.13.Final","netty-4.0.12.Final","netty-4.0.11.Final","netty-4.0.10.Final","netty-4.0.8.Final","netty-4.0.7.Final","netty-4.0.6.Final","netty-4.0.5.Final","netty-4.0.4.Final","netty-4.0.3.Final","netty-4.0.2.Final","netty-4.0.1.Final","netty-4.0.0.Final","netty-4.0.0.CR9","netty-4.0.0.CR8","netty-4.0.0.CR7","netty-4.0.0.CR5","netty-4.0.0.CR4","netty-4.0.0.CR3","netty-4.0.0.CR2","netty-4.0.0.CR1","netty-4.0.0.Beta3","netty-4.0.0.Beta2","netty-4.0.0.Beta1","netty-4.0.0.Alpha8","netty-4.0.0.Alpha7","netty-4.0.0.Alpha6","netty-4.0.0.Alpha5","netty-4.0.0.Alpha4","netty-4.0.0.Alpha3","netty-4.0.0.Alpha2","netty-4.0.0.Alpha1"],"database_specific":{"vanir_signatures_modified":"2026-05-18T22:24:35Z","vanir_signatures":[{"signature_type":"Function","signature_version":"v1","target":{"function":"splitHeader","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-06e8f123","digest":{"length":721,"function_hash":"18233425441436127750782009070532165344"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"testContentLengthHeaderAndChunked","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-1a525c75","digest":{"length":625,"function_hash":"172481325208139734420814766658866698590"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-26cc52ea","digest":{"line_hashes":["309063670718511852852130624213590019128","236028198603043349454850779406824610877","270842797415329582936981774885370126028","186080358750429610931052563775734784239","226215294083256624125810313988307288511","226227342066640177055081876388804373096","138994542358011796466486833744208061858","105230826901819499999452807477415866947","334664931806984178562747170361686518977","161248011630319998146678241255534469769","261672280417367862732224899564577162249","17628894065973736492298769263740826268","103878262630415130004754967443765499734","11026235238673042823005249559779410821","166716581219736466294267342503528367140","142448574484156466214458763293749879625","60843268908281218031061033820250491848"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"validateHeaderNameElement","file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-4a51298f","digest":{"length":425,"function_hash":"269494387521881585452919491774019618154"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"testWhitespaceBeforeTransferEncoding01","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-519021ec","digest":{"length":181,"function_hash":"120389524553676198839368369664138070526"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-51bcc4f8","digest":{"line_hashes":["242725271108212257826686151719562831231","277129886284590452125535259180690183607","37624302477473825498411741862664336775","228917488556910377238465181157986725774","140034408903480898175462269668254395793","68545724326011841925920210003172109296","152338190554326077557988043637150582391","228917488556910377238465181157986725774"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"testWhitespaceBeforeTransferEncoding02","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-6743f810","digest":{"length":255,"function_hash":"78882820443181217366376297190537956095"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"findNonWhitespace","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-896c8431","digest":{"length":464,"function_hash":"226325652847968273253557520703398600741"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"testInvalidHeaders0","file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-89cf9790","digest":{"length":350,"function_hash":"143355351109797365878732174997598858949"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-bee6ba3d","digest":{"line_hashes":["293566301854528473193701345220748168838","20493677530200135325719121561137500047","82344960543321320024408399124961733412","35637158797269933644520018473969402735","305950220969642324533573865219745257664","58081112648400015918910281176725437563","179050730279709306629066176660033019123","80143913047974372073414469457521783394","134919843011996964607502088886550557098","314471269814671764574450078684188688628","145458788300236256083064394210482398959","203505929758462516178032321139310340588","315989757269814039419848914586085166430","130910431073191905943905706865477642212","295279021656024965261560235598398861142","96053510847438498522627689639769355831","41606000927528761739111858373969682165","156109033474320444970105423142755047758","337890363482822668905493818716498701024","169870631923428948851627051058605385542","89943439626233183666145654945487999257","290012946538219556351694370753142870168","320931445265113101257787127976293787177","168085210419525997325080145804884642040","180226531019266707085505012886586320307","258175206180267023907493838535738061655","50103203110654270618969763800831939362","307126096742608635079049137510492356186","235725288567037057814612777792344782235"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-ccd3136b","digest":{"line_hashes":["327084716185792067665855380440375424198","280137859413748684000047352190436860807"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"validateHeaderNameElement","file":"codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"},"deprecated":false,"source":"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323","id":"CVE-2021-43797-ecaa030e","digest":{"length":423,"function_hash":"270361193334713344899991966096587179287"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43797.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"fixed":"6d6e2d99804875e216fb4a5caca01e5e901a9a07"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.5.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}