Skip to main content

Netty CVE-2024-29025

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2024-03-25 security-advisories@github.com
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
CVE Published
Mar 25, 2024 - 20:15 cve.org
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4,721 maven packages depend on io.netty:netty-codec-http (111 direct, 4,611 indirect)

Ecosystem-wide dependent count for version 4.1.108.Final.

DescriptionCVE.org

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

AnalysisAI

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final. Affected products include: Netty, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.

More in Netty

View all
CVE-2025-24970 HIGH POC
7.5 Feb 10

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final

CVE-2026-48748 HIGH POC
7.5 Jun 12

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una

CVE-2026-50011 HIGH POC
7.5 Jun 12

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot

CVE-2022-41881 HIGH POC
7.5 Dec 12

Netty project is an event-driven asynchronous network application framework. Rated high severity (CVSS 7.5), this vulner

CVE-2020-7238 HIGH POC
7.5 Jan 27

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Tr

CVE-2019-16869 HIGH POC
7.5 Sep 26

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked

CVE-2025-58057 MEDIUM POC
6.9 Sep 04

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2023-34462 MEDIUM POC
6.5 Jun 22

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2022-41915 MEDIUM POC
6.5 Dec 13

Netty project is an event-driven asynchronous network application framework. Rated medium severity (CVSS 6.5), this vuln

CVE-2024-47535 MEDIUM POC
5.5 Nov 12

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2022-24823 MEDIUM POC
5.5 May 06

Netty is an open-source, asynchronous event-driven network application framework. Rated medium severity (CVSS 5.5), this

CVE-2021-21290 MEDIUM POC
5.5 Feb 08

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable h

Share

CVE-2024-29025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy