CVE-2020-7238

Name: CVE-2020-7238
Creator: NVD / NIST
Published: 2020-01-27T17:15:12.277+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 3.62%

Last modified Jun 17, 2026

CVE-2020-7238 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.. EPSS estimates a 3.62% chance of exploitation in the next 30 days.

Description

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

3.62%

88.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-444

Affected Software

Vendor	Product	Versions
Netty	Netty	4.1.43
Fedoraproject	Fedora	33
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Redhat	Jboss Enterprise Application Platform	7.2
Redhat	Jboss Enterprise Application Platform	7.3
Redhat	Jboss Enterprise Application Platform	7.4
Redhat	Jboss Enterprise Application Platform Text-Only Advisories	All versions
Redhat	Openshift Application Runtimes Text-Only Advisories	All versions

References

https://access.redhat.com/errata/RHSA-2020:0497Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811Third Party Advisory
https://github.com/jdordonezn/CVE-2020-72381/issues/1Exploit, Third Party Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
https://netty.io/news/Vendor Advisory
https://www.debian.org/security/2021/dsa-4885Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0497Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811Third Party Advisory
https://github.com/jdordonezn/CVE-2020-72381/issues/1Exploit, Third Party Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
https://netty.io/news/Vendor Advisory
https://www.debian.org/security/2021/dsa-4885Third Party Advisory

Timeline

Published: Jan 27, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-7238?

How severe is CVE-2020-7238?

CVE-2020-7238 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 3.62% probability of exploitation in the next 30 days.

How do I fix CVE-2020-7238?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-7238?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST