VulnerableCode Package Details - pkg:maven/io.netty/netty-codec-http@4.1.83

Search for packages

Vulnerability	Summary	Fixed by
VCID-m7b8-8zcj-uqey Aliases: CVE-2022-41915 GHSA-hh82-3pmq-7frp	Netty vulnerable to HTTP Response splitting from assigning header value iterator ### Impact When calling `DefaultHttpHeaders.set` with an _iterator_ of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting). ### Patches The necessary validation was added in Netty 4.1.86.Final. ### Workarounds Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. ### References [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers](https://cwe.mitre.org/data/definitions/113.html) ### For more information If you have any questions or comments about this advisory: * Open an issue in [[example link to repo](https://github.com/netty/netty)](https://github.com/netty/netty) * Email us at [netty-security@googlegroups.com](mailto:netty-security@googlegroups.com)	4.1.86.Final Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.1.86 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-m7b8-8zcj-uqey
Aliases:
CVE-2022-41915
GHSA-hh82-3pmq-7frp

Netty vulnerable to HTTP Response splitting from assigning header value iterator ### Impact When calling `DefaultHttpHeaders.set` with an _iterator_ of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting). ### Patches The necessary validation was added in Netty 4.1.86.Final. ### Workarounds Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. ### References [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers](https://cwe.mitre.org/data/definitions/113.html) ### For more information If you have any questions or comments about this advisory: * Open an issue in [[example link to repo](https://github.com/netty/netty)](https://github.com/netty/netty) * Email us at [netty-security@googlegroups.com](mailto:netty-security@googlegroups.com)

4.1.86.Final
Affected by 2 other vulnerabilities.

4.1.86
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:28:32.713989+00:00	GitLab Importer	Affected by	VCID-m7b8-8zcj-uqey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http/CVE-2022-41915.yml	38.1.0

2026-04-03T21:28:32.713989+00:00

GitLab Importer

Affected by

VCID-m7b8-8zcj-uqey

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http/CVE-2022-41915.yml

38.1.0

purl	pkg:maven/io.netty/netty-codec-http@4.1.83
Tags	Ghost

Next non-vulnerable version	4.1.125.Final
Latest non-vulnerable version	4.2.10.Final
Risk	3.1