CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25193 – Denial of Service attack on windows app using Netty
https://notcve.org/view.php?id=CVE-2025-25193
10 Feb 2025 — Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. • https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47535 – Denial of Service attack on windows app using Netty
https://notcve.org/view.php?id=CVE-2024-47535
12 Nov 2024 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. • https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34462 – netty-handler SniHandler 16MB allocation
https://notcve.org/view.php?id=CVE-2023-34462
22 Jun 2023 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicat... • https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41915 – Debian Security Advisory 5316-1
https://notcve.org/view.php?id=CVE-2022-41915
13 Dec 2022 — Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator)` call, into a `remove... • https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-436: Interpretation Conflict •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41881 – codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
https://notcve.org/view.php?id=CVE-2022-41881
12 Dec 2022 — Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. El proyecto Netty es un framework de aplicación de red asíncrona impulsado por eventos. • https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v • CWE-674: Uncontrolled Recursion •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 2CVE-2022-24823 – Local Information Disclosure Vulnerability in io.netty:netty-codec-http
https://notcve.org/view.php?id=CVE-2022-24823
06 May 2022 — Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like sy... • https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1 • CWE-378: Creation of Temporary File With Insecure Permissions CWE-379: Creation of Temporary File in Directory with Insecure Permissions CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 22EXPL: 0CVE-2021-43797 – HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling
https://notcve.org/view.php?id=CVE-2021-43797
09 Dec 2021 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used ... • https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 38EXPL: 0CVE-2021-37136 – netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
https://notcve.org/view.php?id=CVE-2021-37136
19 Oct 2021 — The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack La función Bzip2 decompression decoder no permite establecer restricciones de tamaño en los datos de salida descomprimidos (lo que afecta al tamaño de asignación usado durante la descompresión). Todos los usuarios de Bzip2Decoder están ... • https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2021-37137 – netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
https://notcve.org/view.php?id=CVE-2021-37137
19 Oct 2021 — The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. La función Snappy frame decoder no restringe la longitud de los trozos, lo que puede co... • https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 • CWE-400: Uncontrolled Resource Consumption •