io.netty:netty-codec-http (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package io.netty:netty-codec-http, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (16)
CVE-2019-20444 — CVSS 9.1 (critical): HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header…
CVE-2026-33870 — CVSS 7.5 (high): Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty…
CVE-2025-58056 — CVSS 7.5 (high): Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and…
CVE-2026-42587 — CVSS 7.5 (high): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor…
CVE-2026-42584 — CVSS 7.3 (high): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each…
CVE-2022-41915 — CVSS 6.5 (medium): Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final…
CVE-2025-67735 — CVSS 6.5 (medium): Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the…
CVE-2026-42580 — CVSS 6.5 (medium): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser…
CVE-2026-42585 — CVSS 6.5 (medium): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses…
CVE-2021-43797 — CVSS 6.5 (medium): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers…
CVE-2021-21290 — CVSS 6.2 (medium): Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance…
CVE-2026-42581 — CVSS 5.8 (medium): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a…
CVE-2022-24823 — CVSS 5.5 (medium): Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version…
CVE-2026-50020 — CVSS 5.3 (medium): Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final…
CVE-2024-29025 — CVSS 5.3 (medium): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers…
CVE-2026-41417 — CVSS 5.3 (medium): Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is…