Skip to main content

Netty

30 CVEs product

Monthly

CVE-2026-50560 Maven MEDIUM POC PATCH GHSA This Month

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack functionally equivalent to HTTP/2 Rapid Reset (CVE-2023-44487) but with a distinct on-wire signature. Affected Netty versions prior to 4.1.135.Final and 4.2.15.Final fully process and proxy incoming requests to the origin before encountering an exception during response header serialization, consuming server resources without completing responses. No public exploit has been identified at time of analysis, and EPSS stands at 0.02% (5th percentile), though the attack technique parallels a well-documented catastrophic DDoS class.

Denial Of Service Netty Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-50020 Maven MEDIUM POC PATCH GHSA This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-50011 Maven HIGH POC PATCH GHSA This Week

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remote attackers to trigger memory exhaustion by sending a crafted RESP array header that declares a huge element count, causing RedisArrayAggregator to pre-allocate an oversized ArrayList before any child messages arrive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided in the input.

Denial Of Service Netty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-50010 Maven HIGH PATCH GHSA This Week

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.

Jwt Attack Information Disclosure Netty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-50009 Maven MEDIUM PATCH GHSA This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-48748 Maven HIGH POC PATCH GHSA This Week

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote unauthenticated attackers to exhaust server memory by triggering creation of an unbounded number of blocked streams, leading to an OutOfMemoryError. The flaw affects any Java application or service using Netty as an HTTP/3 server. No public exploit identified at time of analysis, and EPSS probability is very low (0.05%, 17th percentile), but the network-reachable nature of the HTTP/3 protocol surface makes patching a priority for exposed endpoints.

Denial Of Service Netty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-58057 Maven MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Red Hat Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-58056 Maven LOW POC PATCH Monitor

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty
NVD GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-55163 Maven HIGH POC PATCH This Week

Netty is an asynchronous, event-driven network application framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Netty Red Hat Suse
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2025-25193 Maven MEDIUM PATCH This Month

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Microsoft Denial Of Service Netty Windows Red Hat +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-24970 Maven HIGH POC PATCH This Week

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Active Iq Unified Manager Oncommand Insight Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-47535 Maven MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Microsoft Netty
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-29025 Maven MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Debian Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2023-34462 Maven MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Netty
NVD GitHub
CVSS 3.1
6.5
EPSS
2.5%
CVE-2022-41915 Maven MEDIUM POC PATCH This Month

Netty project is an event-driven asynchronous network application framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Netty Debian Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-41881 Maven HIGH POC PATCH This Week

Netty project is an event-driven asynchronous network application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Netty Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-24823 Maven MEDIUM POC PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Java Microsoft Information Disclosure Netty Financial Services Crime And Compliance Management Studio +3
NVD GitHub
CVSS 3.1
5.5
EPSS
1.0%
CVE-2021-43797 Maven MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty Quarkus Oncommand Workflow Automation +15
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2021-37137 Maven HIGH PATCH This Week

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Netty Banking Apis Banking Digital Experience Commerce Guided Search +8
NVD GitHub
CVSS 3.1
7.5
EPSS
6.3%
CVE-2021-37136 Maven HIGH PATCH This Week

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Netty Quarkus Banking Apis Banking Digital Experience +15
NVD GitHub
CVSS 3.1
7.5
EPSS
5.7%
CVE-2021-21409 Maven MEDIUM PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty Debian Linux Oncommand Api Services +15
NVD GitHub
CVSS 3.1
5.9
EPSS
4.9%
CVE-2021-21295 Maven MEDIUM PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty Oncommand Api Services Oncommand Workflow Automation +5
NVD GitHub
CVSS 3.1
5.9
EPSS
18.9%
CVE-2021-21290 Maven MEDIUM POC PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Apple Information Disclosure Netty Debian Linux Quarkus +10
NVD GitHub
CVSS 3.1
5.5
EPSS
1.8%
CVE-2020-11612 Maven HIGH PATCH This Week

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Netty Debian Linux Fedora Oncommand Api Services +9
NVD GitHub
CVSS 3.1
7.5
EPSS
9.4%
CVE-2020-7238 Maven HIGH POC PATCH This Week

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Netty Fedora Debian Linux +3
NVD GitHub
CVSS 3.1
7.5
EPSS
3.6%
CVE-2019-16869 Maven HIGH POC PATCH This Week

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty Debian Linux Ubuntu Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
8.4%
CVE-2015-2156 Maven HIGH PATCH This Week

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Netty Play Framework
NVD GitHub
CVSS 3.0
7.5
EPSS
3.3%
CVE-2016-4970 Maven HIGH PATCH This Week

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Java Netty Jboss Data Grid Jboss Middleware Text Only Advisories +1
NVD GitHub
CVSS 3.1
7.5
EPSS
8.2%
CVE-2014-3488 Maven MEDIUM POC PATCH This Month

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Buffer Overflow Netty
NVD GitHub
CVSS 2.0
5.0
EPSS
0.9%
CVE-2014-0193 Maven MEDIUM PATCH This Month

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Netty
NVD GitHub
CVSS 2.0
5.0
EPSS
4.1%
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack functionally equivalent to HTTP/2 Rapid Reset (CVE-2023-44487) but with a distinct on-wire signature. Affected Netty versions prior to 4.1.135.Final and 4.2.15.Final fully process and proxy incoming requests to the origin before encountering an exception during response header serialization, consuming server resources without completing responses. No public exploit has been identified at time of analysis, and EPSS stands at 0.02% (5th percentile), though the attack technique parallels a well-documented catastrophic DDoS class.

Denial Of Service Netty Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remote attackers to trigger memory exhaustion by sending a crafted RESP array header that declares a huge element count, causing RedisArrayAggregator to pre-allocate an oversized ArrayList before any child messages arrive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided in the input.

Denial Of Service Netty
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.

Jwt Attack Information Disclosure Netty
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote unauthenticated attackers to exhaust server memory by triggering creation of an unbounded number of blocked streams, leading to an OutOfMemoryError. The flaw affects any Java application or service using Netty as an HTTP/3 server. No public exploit identified at time of analysis, and EPSS probability is very low (0.05%, 17th percentile), but the network-reachable nature of the HTTP/3 protocol surface makes patching a priority for exposed endpoints.

Denial Of Service Netty
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Red Hat +1
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Netty is an asynchronous, event-driven network application framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Netty Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Microsoft Denial Of Service Netty +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Active Iq Unified Manager +3
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Microsoft Netty
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Netty Debian Linux
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Netty
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Netty project is an event-driven asynchronous network application framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Netty Debian Linux
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Netty project is an event-driven asynchronous network application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Netty Debian Linux
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Java Microsoft Information Disclosure +5
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty +17
NVD GitHub
EPSS 6% CVSS 7.5
HIGH PATCH This Week

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Netty Banking Apis +10
NVD GitHub
EPSS 6% CVSS 7.5
HIGH PATCH This Week

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Netty Quarkus +17
NVD GitHub
EPSS 5% CVSS 5.9
MEDIUM PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty +17
NVD GitHub
EPSS 19% CVSS 5.9
MEDIUM PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty +7
NVD GitHub
EPSS 2% CVSS 5.5
MEDIUM POC PATCH This Month

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Apple Information Disclosure Netty +12
NVD GitHub
EPSS 9% CVSS 7.5
HIGH PATCH This Week

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Netty Debian Linux +11
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Netty +5
NVD GitHub
EPSS 8% CVSS 7.5
HIGH POC PATCH This Week

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty +3
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Netty Play Framework
NVD GitHub
EPSS 8% CVSS 7.5
HIGH PATCH This Week

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Java Netty +3
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Buffer Overflow Netty
NVD GitHub
EPSS 4% CVSS 5.0
MEDIUM PATCH This Month

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Netty
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy