Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "9.2.6.3"
}
],
"source": "CPE_RANGE",
"vendor_product": "oracle:jd_edwards_enterpriseone_tools",
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"fixed": "21.1.12"
}
],
"source": "CPE_RANGE",
"vendor_product": "oracle:nosql_database",
"cpes": [
"cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "17.12.0"
},
{
"last_affected": "17.12.11"
},
{
"introduced": "18.8.0"
},
{
"last_affected": "18.8.11"
},
{
"introduced": "19.12.0"
},
{
"last_affected": "19.12.10"
}
],
"source": "CPE_RANGE",
"vendor_product": "oracle:primavera_gateway",
"cpes": [
"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
}
],
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "14.2.0"
},
{
"last_affected": "14.2.0"
},
{
"introduced": "14.3.0"
},
{
"last_affected": "14.3.0"
},
{
"introduced": "14.5.0"
},
{
"last_affected": "14.5.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:banking_corporate_lending_process_management",
"cpes": [
"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "14.2.0"
},
{
"last_affected": "14.2.0"
},
{
"introduced": "14.3.0"
},
{
"last_affected": "14.3.0"
},
{
"introduced": "14.5.0"
},
{
"last_affected": "14.5.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:banking_credit_facilities_process_management",
"cpes": [
"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "14.2.0"
},
{
"last_affected": "14.2.0"
},
{
"introduced": "14.3.0"
},
{
"last_affected": "14.3.0"
},
{
"introduced": "14.5.0"
},
{
"last_affected": "14.5.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:banking_trade_finance_process_management",
"cpes": [
"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "12.2.1.4.0"
},
{
"last_affected": "12.2.1.4.0"
},
{
"introduced": "14.1.1.0.0"
},
{
"last_affected": "14.1.1.0.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:coherence",
"cpes": [
"cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "12.0.0.3"
},
{
"last_affected": "12.0.0.3"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:communications_brm_-_elastic_charging_engine",
"cpes": [
"cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "1.7.0"
},
{
"last_affected": "1.7.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:communications_cloud_native_core_console",
"cpes": [
"cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "1.14.0"
},
{
"last_affected": "1.14.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:communications_cloud_native_core_policy",
"cpes": [
"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "7.4.2.0.0"
},
{
"last_affected": "7.4.2.0.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:communications_design_studio",
"cpes": [
"cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "8.1"
},
{
"last_affected": "8.1"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:communications_messaging_server",
"cpes": [
"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "1.4.10"
},
{
"last_affected": "1.4.10"
},
{
"introduced": "2.4.0"
},
{
"last_affected": "2.4.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:helidon",
"cpes": [
"cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*"
]
}
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.1.61"
}
]
}"2026-07-09T00:22:28Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21409.json"
[
{
"id": "CVE-2021-21409-2dd43cd2",
"digest": {
"line_hashes": [
"13838573216768640385759793565529255181",
"64590118773695994096416701453684169693",
"40366867890308275733641722075111913202",
"99442970543979916107411405808344167983",
"198242231044819727702710407131067821833",
"225394451863276396159374637437669084843",
"301911554181015496237786310350552407434",
"139803867202197457261202793786133121803",
"110545635642286327695068815175686630525",
"102270329366318299529951125491743550036",
"96141737589129960175616447517902386799"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"deprecated": false,
"target": {
"file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
}
},
{
"id": "CVE-2021-21409-50ee60f4",
"digest": {
"function_hash": "248404261420512246011971280766729204064",
"length": 2300.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"deprecated": false,
"target": {
"function": "onHeadersRead",
"file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
}
},
{
"id": "CVE-2021-21409-c44b07e9",
"digest": {
"line_hashes": [
"198474550372756316732781608140999075472",
"222075586400587720623712958327292286488",
"2476563565448013713485613998268497641",
"284125967723317361815743930750478417322",
"123032726700344086474560707545944672027",
"321810393895313652773431334759360777572",
"339270693203750699307445382171447256840",
"157960450431527514498381399403836862564"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"deprecated": false,
"target": {
"file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"
}
},
{
"id": "CVE-2021-21409-fc46fd41",
"digest": {
"function_hash": "241598310014639263931222477268701821567",
"length": 424.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"deprecated": false,
"target": {
"function": "headerMultipleContentLengthValidationShouldPropagate",
"file": "codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MultiplexTest.java"
}
}
]
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.13.7"
}
]
}