Skip to content

[GHSA-p979-4mfw-53vg] HTTP Request Smuggling in Netty #5774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: poc-effectiveness/advisory-improvement-5774
Choose a base branch
from
Open

[GHSA-p979-4mfw-53vg] HTTP Request Smuggling in Netty #5774

wants to merge 1 commit into from

Conversation

poc-effectiveness
Copy link

Updates

  • Affected products

Comments
Hi maintainers 👋,

We would like to report a potential improvement regarding CVE-2019-16869.

Through our analysis, we discovered that the version 5.0.0.Alpha1 appears to be affected by the same vulnerability, but is not currently listed in the advisory. To support this, we have prepared and tested a PoC that reproduces the issue in this version.

You can find the corresponding PoC here:
🔗 https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-16869/5.0.0.Alpha1/exploit

We hope this helps improve the accuracy of the CVE’s affected version list. Please feel free to reach out if further validation is needed.

Best regards

@github-actions github-actions bot changed the base branch from main to poc-effectiveness/advisory-improvement-5774 June 30, 2025 12:18
@JonathanLEvans
Copy link

Hi @poc-effectiveness,

GitHub is not the assigning CNA for this CVE. To ensure all CVE users receive the information, you will need get the CVE record updated. Please contact the assigning CNA at cveform.mitre.org.

Let us know if you need assistance with this!

@poc-effectiveness
Copy link
Author

poc-effectiveness commented Jul 1, 2025
edited
Loading

Hi @JonathanLEvans,

Thank you for your response! We will follow your suggestion and contact the assigning CNA to request updates to the CVE record.

In the meantime, we would like to consult on two follow-up questions, as we’ve encountered several similar cases during our analysis:

  1. For cases like this one, where a version affected by the vulnerability is not included in the NVD reports, does GitHub Advisory Database only allow updates after confirmation from the assigning CNA?

  2. In some other cases, we observed that the affected version is already listed in the NVD report, but not correctly reflected in the GitHub Advisory Database. In such cases, is CNA confirmation still required to update the GitHub advisory?

We understand that updating through the CNA can be a lengthy process, so we’d like to clarify these points in advance to better coordinate our future submissions.

Thanks again for your guidance and support!

Best regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@poc-effectiveness @JonathanLEvans