CVE-2021-21295: 
Java vulnerability analysis and mitigation

Netty, an open-source asynchronous event-driven network application framework, was found to contain a request smuggling vulnerability (CVE-2021-21295) in versions before 4.1.60.Final. The vulnerability was discovered in March 2021 and affects the io.netty:netty-codec-http2 component (GitHub Advisory, NVD).

The vulnerability occurs when a Content-Length header is present in the original HTTP/2 request but is not validated by Http2MultiplexHandler as it is propagated up. While this is acceptable for direct HTTP/2 communication, problems arise when the request is converted to HTTP/1.1 objects via Http2StreamFrameToHttpObjectCodec and then proxied to another peer. The vulnerability is only exploitable when all of the following conditions are met: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer (GitHub Advisory).

When exploited, an attacker can perform request smuggling attacks by embedding malicious requests inside the body as the request gets downgraded from HTTP/2 to HTTP/1.1. This could lead to unauthorized request processing and potential security bypass (GitHub Advisory).

The vulnerability has been patched in Netty version 4.1.60.Final. As a workaround, users can implement custom validation by creating a ChannelInboundHandler that is placed in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec (GitHub Advisory).