Skip to main content

Cloudburst Network EUVDEUVD-2026-34861

| CVE-2026-45290 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-05 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 19:02 EUVD
Analysis Generated
Jun 05, 2026 - 17:50 vuln.today

DescriptionGitHub Advisory

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to 1.0.0.CR3-20260417.085727-30 impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a vulnerability in Network to stall the netty event loop, rendering it inoperable. All consumers of the library should upgrade to at least version 1.0.0.CR3-20260417.085727-30. There are no known workarounds beyond updating the library.

AnalysisAI

Denial of service in Cloudburst Network (cloudburstmc/network) versions prior to 1.0.0.CR3-20260417.085727-30 allows remote attackers to stall the underlying Netty event loop, rendering network processing inoperable for any publicly accessible application that depends on the library. The flaw scores CVSS 7.5 with a fully remote, low-complexity, unauthenticated availability impact, and no public exploit identified at time of analysis.

Technical ContextAI

Cloudburst Network is a Netty-based networking component used by Cloudburst-family projects (the CPE cpe:2.3:a:cloudburstmc:network confirms the affected package). The root cause is mapped to CWE-770 (Allocation of Resources Without Limits or Throttling), meaning the library accepts or processes input without bounding the work performed on the Netty event loop thread. Because Netty uses a small pool of single-threaded event loops to multiplex many connections, any operation that blocks or saturates that loop halts I/O for every connection it serves - turning a single malicious peer into a service-wide stall.

RemediationAI

Vendor-released patch: upgrade the cloudburstmc/network dependency to at least 1.0.0.CR3-20260417.085727-30 as directed in the GitHub Security Advisory at https://github.com/CloudburstMC/Network/security/advisories/GHSA-7x5h-rg5x-9gf3, and rebuild and redeploy every downstream service that embeds the library (transitive dependencies must be checked, not just direct ones). The advisory explicitly states there are no known workarounds, so compensating controls are limited to reducing exposure of the network listener - restrict the affected service to trusted source IP ranges at the firewall or load balancer, and place upstream rate-limiting or connection-throttling in front of the Netty listener to slow a single peer's ability to saturate the event loop; these reduce but do not eliminate risk and may degrade legitimate clients under load.

CVE-2024-21488 CRITICAL POC
9.8 Jan 30

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_proce

CVE-2021-35048 CRITICAL POC
9.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interfa

CVE-2021-35049 HIGH POC
8.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2021-35047 HIGH POC
8.8 Jun 25

Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker

CVE-2021-35050 HIGH POC
7.5 Jun 25

User credentials stored in a recoverable format within Fidelis Network and Deception CommandPost. Rated high severity (C

CVE-2022-24394 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24393 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24392 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24391 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacke

CVE-2022-24390 HIGH
8.8 May 17

Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level c

CVE-2022-24389 HIGH
8.8 May 17

Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level command

CVE-2022-24388 HIGH
8.8 May 17

Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into

Share

EUVD-2026-34861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy