[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2022-41915":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":99,"aliases":109,"duplicate_of":9,"upstream":111,"downstream":112,"duplicates":129,"related":130,"reserved_at":9,"published_at":136,"modified_at":137,"state":138,"summary":139,"references_raw":147,"kevs":203,"epss":204,"epss_history":207,"metrics":480,"affected":490},"CVE-2022-41915","Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator\u003C?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.",null,[11,85],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-113","Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.","weakness","Incomplete","Variant",[19,23,77,81],{"id":20,"name":21,"techniques":22},"CAPEC-105","HTTP Request Splitting",[],{"id":24,"name":25,"techniques":26},"CAPEC-31","Accessing/Intercepting/Modifying HTTP Cookies",[27],{"id":28,"name":29,"tactics":30,"countermeasures":34},"T1539","Steal Web Session Cookie",[31],{"id":32,"name":33},"TA0031","Credential Access",[35,40,45,49,54,59,63,67,72],{"id":36,"name":37,"tactic":38},"D3-CCSA","Credential Compromise Scope Analysis",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-CR","Credential Revocation",{"name":44},"Evict",{"id":46,"name":47,"tactic":48},"D3-ANCI","Authentication Cache Invalidation",{"name":44},{"id":50,"name":51,"tactic":52},"D3-DUC","Decoy User Credential",{"name":53},"Deceive",{"id":55,"name":56,"tactic":57},"D3-CH","Credential Hardening",{"name":58},"Harden",{"id":60,"name":61,"tactic":62},"D3-MFA","Multi-factor Authentication",{"name":58},{"id":64,"name":65,"tactic":66},"D3-CRO","Credential Rotation",{"name":58},{"id":68,"name":69,"tactic":70},"D3-RIC","Reissue Credential",{"name":71},"Restore",{"id":73,"name":74,"tactic":75},"D3-CTS","Credential Transmission Scoping",{"name":76},"Isolate",{"id":78,"name":79,"techniques":80},"CAPEC-34","HTTP Response Splitting",[],{"id":82,"name":83,"techniques":84},"CAPEC-85","AJAX Footprinting",[],{"_key":86,"id":86,"name":87,"description":88,"type":15,"status":16,"abstraction":89,"likelihood_of_exploit":9,"capec":90},"CWE-436","Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.","Class",[91,93,97],{"id":20,"name":21,"techniques":92},[],{"id":94,"name":95,"techniques":96},"CAPEC-273","HTTP Response Smuggling",[],{"id":78,"name":79,"techniques":98},[],[100],{"_key":101,"name":102,"source":103,"url":104,"maturity":105,"reliability_score":106,"verified":107,"type":9,"platforms":108,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_NETTY_NETTY","Netty","github","https://github.com/netty/netty/issues/2562","poc",0.3,false,[],[110],"GHSA-hh82-3pmq-7frp",[],[113,115,117,119,121,123,125,127],{"_key":114},"OPENSUSE-SU-2024:14442-1",{"_key":116},"UBUNTU-CVE-2022-41915",{"_key":118},"SUSE-SU-2023:2096-1",{"_key":120},"SUSE-SU-2023:2096-2",{"_key":122},"DLA-3268-1",{"_key":124},"DSA-5316-1",{"_key":126},"DEBIAN-CVE-2022-41915",{"_key":128},"USN-6049-1",[],[131,132,133,134],{"_key":114},{"_key":118},{"_key":120},{"_key":135},"CGA-J2XR-P8CX-HP8Q","2022-12-13T00:00:00.000Z","2025-04-22T15:57:32.870Z","Modified",{"cisa_kev":107,"cisa_ransomware":107,"cisa_vendor":9,"epss_severity":140,"epss_score":141,"severity":142,"severity_score":143,"severity_version":144,"severity_source":145,"severity_vector":146,"severity_status":138},"low",0.00497,"medium",6.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",[148,157,163,168,172,177,182,186,191,195,199],{"url":149,"sources":150,"tags":153},"https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp",[145,151,152],"nvd","osv_maven",[154,155,156],"Mitigation","Third Party Advisory","WEB",{"url":158,"sources":159,"tags":160},"https://github.com/netty/netty/issues/13084",[145,151,152],[161,162,155,156],"Exploit","Issue Tracking",{"url":164,"sources":165,"tags":166},"https://github.com/netty/netty/pull/12760",[145,151,152],[167,155,156],"Patch",{"url":169,"sources":170,"tags":171},"https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4",[145,151,152],[167,155,156],{"url":173,"sources":174,"tags":175},"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html",[145,151,152],[176,155,156],"Mailing List",{"url":178,"sources":179,"tags":180},"https://www.debian.org/security/2023/dsa-5316",[145,151,152],[181,155,156],"Vendor Advisory",{"url":183,"sources":184,"tags":185},"https://security.netapp.com/advisory/ntap-20230113-0004/",[145,151],[155],{"url":187,"sources":188,"tags":189},"https://nvd.nist.gov/vuln/detail/CVE-2022-41915",[152],[190],"Advisory",{"url":192,"sources":193,"tags":194},"https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0",[152],[156],{"url":196,"sources":197,"tags":198},"https://github.com/netty/netty",[152],[156],{"url":200,"sources":201,"tags":202},"https://security.netapp.com/advisory/ntap-20230113-0004",[152],[156],[],{"date":205,"score":141,"percentile":206},"2026-06-04",0.66191,[208,212,215,218,221,224,227,230,233,236,239,242,245,247,250,254,257,260,263,266,269,272,275,278,281,284,287,290,293,296,299,302,305,307,310,313,316,319,322,325,329,332,335,338,341,344,347,350,353,356,359,362,365,368,372,375,378,381,385,388,391,394,397,400,403,406,409,412,414,417,420,423,426,429,432,435,438,441,445,448,451,454,457,460,463,466,469,472,474,477],{"date":209,"score":210,"percentile":211},"2025-11-04",0.00247,0.47821,{"date":213,"score":210,"percentile":214},"2025-11-05",0.4781,{"date":216,"score":210,"percentile":217},"2025-11-06",0.47826,{"date":219,"score":210,"percentile":220},"2025-11-07",0.47854,{"date":222,"score":210,"percentile":223},"2025-11-08",0.47856,{"date":225,"score":210,"percentile":226},"2025-11-09",0.47839,{"date":228,"score":210,"percentile":229},"2025-11-10",0.47813,{"date":231,"score":210,"percentile":232},"2025-11-11",0.47827,{"date":234,"score":210,"percentile":235},"2025-11-12",0.47857,{"date":237,"score":210,"percentile":238},"2025-11-13",0.4786,{"date":240,"score":210,"percentile":241},"2025-11-14",0.47872,{"date":243,"score":210,"percentile":244},"2025-11-15",0.47867,{"date":246,"score":210,"percentile":220},"2025-11-16",{"date":248,"score":210,"percentile":249},"2025-11-17",0.47831,{"date":251,"score":252,"percentile":253},"2025-11-18",0.0139,0.78705,{"date":255,"score":252,"percentile":256},"2025-11-19",0.78713,{"date":258,"score":252,"percentile":259},"2025-11-20",0.7872,{"date":261,"score":210,"percentile":262},"2025-11-21",0.47823,{"date":264,"score":210,"percentile":265},"2025-11-22",0.47819,{"date":267,"score":210,"percentile":268},"2025-11-23",0.47793,{"date":270,"score":210,"percentile":271},"2025-11-24",0.47784,{"date":273,"score":210,"percentile":274},"2025-11-25",0.47797,{"date":276,"score":210,"percentile":277},"2025-11-26",0.47798,{"date":279,"score":210,"percentile":280},"2025-11-27",0.47803,{"date":282,"score":210,"percentile":283},"2025-11-28",0.47772,{"date":285,"score":210,"percentile":286},"2025-11-29",0.47753,{"date":288,"score":210,"percentile":289},"2025-11-30",0.47742,{"date":291,"score":210,"percentile":292},"2025-12-01",0.47894,{"date":294,"score":210,"percentile":295},"2025-12-02",0.47909,{"date":297,"score":210,"percentile":298},"2025-12-03",0.47901,{"date":300,"score":210,"percentile":301},"2025-12-04",0.47736,{"date":303,"score":210,"percentile":304},"2025-12-05",0.47755,{"date":306,"score":210,"percentile":304},"2025-12-06",{"date":308,"score":210,"percentile":309},"2025-12-07",0.47746,{"date":311,"score":210,"percentile":312},"2025-12-08",0.4775,{"date":314,"score":210,"percentile":315},"2025-12-09",0.47781,{"date":317,"score":210,"percentile":318},"2025-12-10",0.47842,{"date":320,"score":210,"percentile":321},"2025-12-11",0.47864,{"date":323,"score":210,"percentile":324},"2025-12-12",0.47891,{"date":326,"score":327,"percentile":328},"2025-12-13",0.00273,0.50491,{"date":330,"score":327,"percentile":331},"2025-12-14",0.50473,{"date":333,"score":327,"percentile":334},"2025-12-15",0.50457,{"date":336,"score":327,"percentile":337},"2025-12-16",0.50467,{"date":339,"score":327,"percentile":340},"2025-12-17",0.50494,{"date":342,"score":327,"percentile":343},"2025-12-18",0.50534,{"date":345,"score":327,"percentile":346},"2025-12-19",0.50537,{"date":348,"score":327,"percentile":349},"2025-12-20",0.50498,{"date":351,"score":327,"percentile":352},"2025-12-21",0.50471,{"date":354,"score":327,"percentile":355},"2025-12-22",0.50453,{"date":357,"score":327,"percentile":358},"2025-12-23",0.50451,{"date":360,"score":327,"percentile":361},"2025-12-24",0.5046,{"date":363,"score":327,"percentile":364},"2025-12-25",0.5051,{"date":366,"score":327,"percentile":367},"2025-12-26",0.50499,{"date":369,"score":370,"percentile":371},"2025-12-27",0.0023,0.45767,{"date":373,"score":327,"percentile":374},"2025-12-28",0.50441,{"date":376,"score":327,"percentile":377},"2025-12-29",0.50429,{"date":379,"score":327,"percentile":380},"2025-12-30",0.50426,{"date":382,"score":383,"percentile":384},"2025-12-31",0.00317,0.54369,{"date":386,"score":383,"percentile":387},"2026-01-01",0.54538,{"date":389,"score":383,"percentile":390},"2026-01-02",0.5452,{"date":392,"score":383,"percentile":393},"2026-01-03",0.5451,{"date":395,"score":383,"percentile":396},"2026-01-04",0.54343,{"date":398,"score":383,"percentile":399},"2026-01-05",0.54329,{"date":401,"score":383,"percentile":402},"2026-01-06",0.54336,{"date":404,"score":383,"percentile":405},"2026-01-07",0.54361,{"date":407,"score":383,"percentile":408},"2026-01-08",0.54383,{"date":410,"score":383,"percentile":411},"2026-01-09",0.54375,{"date":413,"score":383,"percentile":411},"2026-01-10",{"date":415,"score":383,"percentile":416},"2026-01-11",0.54354,{"date":418,"score":383,"percentile":419},"2026-01-12",0.54308,{"date":421,"score":383,"percentile":422},"2026-01-13",0.54286,{"date":424,"score":383,"percentile":425},"2026-01-14",0.54333,{"date":427,"score":383,"percentile":428},"2026-01-15",0.54335,{"date":430,"score":383,"percentile":431},"2026-01-16",0.54358,{"date":433,"score":383,"percentile":434},"2026-01-17",0.54347,{"date":436,"score":383,"percentile":437},"2026-01-18",0.54344,{"date":439,"score":383,"percentile":440},"2026-01-19",0.54332,{"date":442,"score":443,"percentile":444},"2026-01-20",0.00521,0.66235,{"date":446,"score":443,"percentile":447},"2026-01-21",0.66247,{"date":449,"score":443,"percentile":450},"2026-01-22",0.66257,{"date":452,"score":443,"percentile":453},"2026-01-23",0.66288,{"date":455,"score":443,"percentile":456},"2026-01-24",0.66296,{"date":458,"score":443,"percentile":459},"2026-01-25",0.66262,{"date":461,"score":443,"percentile":462},"2026-01-26",0.66255,{"date":464,"score":443,"percentile":465},"2026-01-27",0.66264,{"date":467,"score":443,"percentile":468},"2026-01-28",0.66276,{"date":470,"score":443,"percentile":471},"2026-01-29",0.66278,{"date":473,"score":443,"percentile":453},"2026-01-30",{"date":475,"score":443,"percentile":476},"2026-01-31",0.6629,{"date":478,"score":443,"percentile":479},"2026-02-01",0.66433,[481,486,488],{"source":145,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":482,"cvss_v4_0":9},{"baseScore":143,"baseSeverity":483,"vectorString":146,"impactScore":484,"exploitabilityScore":485},"MEDIUM",4.2,10,{"source":151,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":487,"cvss_v4_0":9},{"baseScore":143,"baseSeverity":483,"vectorString":146,"impactScore":484,"exploitabilityScore":485},{"source":152,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":489,"cvss_v4_0":9},{"baseScore":143,"baseSeverity":9,"vectorString":146,"impactScore":484,"exploitabilityScore":485},[491,502,517],{"ecosystem":9,"name":492,"vendor":493,"product":494,"cpe_part":495,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":496},"debian linux","debian","debian_linux","o",[497,500],{"version":498,"is_range":107,"range_type":499,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"10.0","cpe",{"version":501,"is_range":107,"range_type":499,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"11.0",{"ecosystem":503,"name":504,"vendor":505,"product":506,"cpe_part":9,"purl_type":507,"purl_namespace":505,"purl_name":506,"source":9,"versions":508},"Maven","io.netty:netty-codec-http","io.netty","netty-codec-http","maven",[509],{"version":510,"is_range":511,"range_type":512,"version_start":513,"version_start_type":514,"version_end":515,"version_end_type":516,"fixed_in":9},"gte4_1_83_Final_lt4_1_86_Final",true,"ecosystem","4.1.83.Final","including","4.1.86.Final","excluding",{"ecosystem":9,"name":518,"vendor":518,"product":518,"cpe_part":519,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":520},"netty","a",[521,523,526],{"version":522,"is_range":511,"range_type":145,"version_start":515,"version_start_type":514,"version_end":515,"version_end_type":516,"fixed_in":9},">= 4.1.86.Final, \u003C 4.1.86.Final",{"version":524,"is_range":511,"range_type":145,"version_start":513,"version_start_type":514,"version_end":525,"version_end_type":516,"fixed_in":9},">= 4.1.83.Final, \u003C 4.1.83.Final*","4.1.83.Final*",{"version":527,"is_range":511,"range_type":499,"version_start":528,"version_start_type":514,"version_end":529,"version_end_type":516,"fixed_in":9},"gte4.1.83_lt4.1.86","4.1.83","4.1.86"]