CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2026-41417 – Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
https://notcve.org/view.php?id=CVE-2026-41417
06 May 2026 — Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or ... • https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-33871 – Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
https://notcve.org/view.php?id=CVE-2026-33871
27 Mar 2026 — Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Ve... • https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2026-33870 – Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
https://notcve.org/view.php?id=CVE-2026-33870
27 Mar 2026 — Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue. • https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2025-58057 – Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack
https://notcve.org/view.php?id=CVE-2025-58057
03 Sep 2025 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls ... • https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2025-58056 – Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
https://notcve.org/view.php?id=CVE-2025-58056
03 Sep 2025 — Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), a... • https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 1CVE-2025-55163 – Netty MadeYouReset HTTP/2 DDoS Vulnerability
https://notcve.org/view.php?id=CVE-2025-55163
13 Aug 2025 — Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. Netty es un framework de aplicaciones de red asíncrono y ... • https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25193 – Denial of Service attack on windows app using Netty
https://notcve.org/view.php?id=CVE-2025-25193
10 Feb 2025 — Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. • https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47535 – Denial of Service attack on windows app using Netty
https://notcve.org/view.php?id=CVE-2024-47535
12 Nov 2024 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. • https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 94%CPEs: 444EXPL: 23CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://packetstorm.news/files/id/211124 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 1CVE-2023-34462 – netty-handler SniHandler 16MB allocation
https://notcve.org/view.php?id=CVE-2023-34462
22 Jun 2023 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicat... • https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •