Skip to main content

Reactor Netty

7 CVEs product

Monthly

CVE-2026-41715 MEDIUM PATCH This Month

Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Reactor Netty Red Hat
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2023-34054 Maven HIGH PATCH This Week

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-34062 Maven HIGH PATCH This Week

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Reactor Netty
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-31684 Maven MEDIUM PATCH This Month

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2020-5403 Maven HIGH PATCH This Week

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-5404 Maven MEDIUM PATCH This Month

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Reactor Netty
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2019-11284 Maven HIGH PATCH This Week

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
CVSS 3.1
8.6
EPSS
0.9%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Reactor Netty Red Hat
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Reactor Netty
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Reactor Netty
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Reactor Netty
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy