Is (or was) DotNetty vulnerabile w.r.t. "HTTP request smuggling" like the Java variant was?

[jonnydee]

The Java variant "Netty" had a security vulnerability in the past: HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling (see also CVE-2021-43797). Apparently, this security issue was fixed on Dec 9, 2021.

Can you tell me if DotNetty was / is subject to this vulnerability, too? If it was in the past but isn't anymore I would also be interested in the first DotNetty version (or the fixing commit) which isn't vulnerable anymore.

Many thanks in advance

[bondarei]

Hi @nayato, I saw you are contributor and active in that repository. I've a question. Do you have any process to review the security vulnerabilities from Java implementation of netty and to decide whether the same issue could exist in DotNetty? Because this security issue is still open and no one answer this since one year. From the security and maintenance point of view this is a bad sign, and I have a bad feeling to use this framework. Thank you in advance for your answer!