Vulnerable Library - selenium-java-4.5.3.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (selenium-java version) |
Remediation Possible** |
| CVE-2026-44249 |
 High |
8.1 |
netty-handler-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2024-53990 |
High |
8.1 |
async-http-client-2.12.3.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-50010 |
High |
7.5 |
netty-handler-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-45416 |
High |
7.5 |
netty-handler-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42587 |
High |
7.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-42583 |
High |
7.5 |
netty-codec-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-33870 |
High |
7.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2023-5590 |
High |
7.5 |
selenium-ie-driver-4.5.3.jar |
Transitive |
4.14.1 |
❌ |
| CVE-2026-45300 |
High |
7.4 |
async-http-client-2.12.3.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42584 |
High |
7.3 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-40490 |
 Medium |
6.8 |
async-http-client-2.12.3.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-42585 |
Medium |
6.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-42580 |
Medium |
6.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2025-67735 |
Medium |
6.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2023-34462 |
Medium |
6.5 |
netty-handler-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2022-41915 |
Medium |
6.5 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42581 |
Medium |
5.8 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2025-25193 |
Medium |
5.5 |
netty-common-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2024-47535 |
Medium |
5.5 |
netty-common-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2023-2976 |
Medium |
5.5 |
guava-31.1-jre.jar |
Transitive |
4.12.0 |
❌ |
| CVE-2026-50020 |
Medium |
5.3 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-45292 |
Medium |
5.3 |
opentelemetry-api-1.19.0.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42578 |
Medium |
5.3 |
netty-handler-proxy-4.1.60.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-41417 |
Medium |
5.3 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2025-58057 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
4.14.0 |
❌ |
| CVE-2025-58056 |
Medium |
5.3 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2024-29025 |
Medium |
5.3 |
netty-codec-http-4.1.84.Final.jar |
Transitive |
4.14.0 |
❌ |
| CVE-2026-45536 |
Medium |
4.0 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2020-8908 |
 Low |
3.3 |
guava-31.1-jre.jar |
Transitive |
4.12.0 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-44249
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- netty-codec-http-4.1.84.Final.jar
- ❌ netty-handler-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-11
URL: CVE-2026-44249
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2024-53990
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ async-http-client-2.12.3.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
Publish Date: 2024-12-02
URL: CVE-2024-53990
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mfj5-cf8g-g2fv
Release Date: 2024-12-02
Fix Resolution (org.asynchttpclient:async-http-client): 2.12.4
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-50010
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- netty-codec-http-4.1.84.Final.jar
- ❌ netty-handler-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-45416
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- netty-codec-http-4.1.84.Final.jar
- ❌ netty-handler-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates "ctx.alloc().buffer(handshakeLength)" (line 161). The guard at line 140 is "handshakeLength > maxClientHelloLength && maxClientHelloLength != 0", and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-45416
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-42587
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f6hv-jmp6-3vwv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.84.Final/netty-codec-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- netty-codec-http-4.1.84.Final.jar
- ❌ netty-codec-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-33870
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
Step up your Open Source Security Game with Mend here
CVE-2023-5590
Vulnerable Library - selenium-ie-driver-4.5.3.jar
Selenium automates browsers. That's it! What you do with that power is entirely up to you.
Library home page: https://selenium.dev/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/4.5.3/selenium-ie-driver-4.5.3.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- ❌ selenium-ie-driver-4.5.3.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.
Publish Date: 2023-10-15
URL: CVE-2023-5590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-5590
Release Date: 2023-10-15
Fix Resolution (org.seleniumhq.selenium:selenium-ie-driver): 4.14.1
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.1
Step up your Open Source Security Game with Mend here
CVE-2026-45300
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ async-http-client-2.12.3.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak "Cookie" headers to cross-origin redirect targets. When following a redirect to a different origin, the "propagatedHeaders()" method in "Redirect30xInterceptor.java" strips "Authorization" and "Proxy-Authorization" headers but does not strip the "Cookie" header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
Publish Date: 2026-06-05
URL: CVE-2026-45300
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-19
Fix Resolution: https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-2.15.0,https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-3.0.10
Step up your Open Source Security Game with Mend here
CVE-2026-42584
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-40490
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ async-http-client-2.12.3.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set "(stripAuthorizationOnRedirect(true))" in the client config and avoid using Realm-based authentication with redirect following enabled. Note that "(stripAuthorizationOnRedirect(true))" alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following ("followRedirect(false)") and handle redirects manually with origin validation.
Publish Date: 2026-04-18
URL: CVE-2026-40490
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution (org.asynchttpclient:async-http-client): 2.14.5
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-42585
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2026-42580
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2025-67735
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
Step up your Open Source Security Game with Mend here
CVE-2023-34462
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- netty-codec-http-4.1.84.Final.jar
- ❌ netty-handler-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The "SniHandler" can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the "SniHandler" to allocate 16MB of heap. The "SniHandler" class is a handler that waits for the TLS handshake to configure a "SslHandler" according to the indicated server name by the "ClientHello" record. For this matter it allocates a "ByteBuf" using the value defined in the "ClientHello" record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the "SslClientHelloHandler". This vulnerability has been fixed in version 4.1.94.Final.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-22
URL: CVE-2023-34462
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6mjq-h674-j845
Release Date: 2023-06-22
Fix Resolution (io.netty:netty-handler): 4.1.94.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2022-41915
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling "DefaultHttpHeadesr.set" with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the "DefaultHttpHeaders.set(CharSequence, Iterator<?>)" call, into a "remove()" call, and call "add()" in a loop over the iterator of values.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-13
URL: CVE-2022-41915
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hh82-3pmq-7frp
Release Date: 2022-12-13
Fix Resolution: io.netty:netty-codec-http:4.1.86.Final
Step up your Open Source Security Game with Mend here
CVE-2026-42581
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2025-25193
Vulnerable Library - netty-common-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.84.Final/netty-common-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-common-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2024-47535
Vulnerable Library - netty-common-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.84.Final/netty-common-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-common-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution (io.netty:netty-common): 4.1.115.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
CVE-2023-2976
Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-chrome-driver-4.5.3.jar
- ❌ guava-31.1-jre.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Use of Java's default temporary directory for file creation in "FileBackedOutputStream" in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution (com.google.guava:guava): 32.0.1-android
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.12.0
Step up your Open Source Security Game with Mend here
CVE-2026-50020
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
- selenium-java-4.5.3.jar (Root Library)
- selenium-remote-driver-4.5.3.jar
- ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, "HttpObjectDecoder" skips every byte for which "Character.isISOControl(b)" is "true" (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50020
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-11
URL: CVE-2026-44249
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
Publish Date: 2024-12-02
URL: CVE-2024-53990
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mfj5-cf8g-g2fv
Release Date: 2024-12-02
Fix Resolution (org.asynchttpclient:async-http-client): 2.12.4
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates "ctx.alloc().buffer(handshakeLength)" (line 161). The guard at line 140 is "handshakeLength > maxClientHelloLength && maxClientHelloLength != 0", and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-45416
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f6hv-jmp6-3vwv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.84.Final/netty-codec-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - selenium-ie-driver-4.5.3.jar
Selenium automates browsers. That's it! What you do with that power is entirely up to you.
Library home page: https://selenium.dev/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/4.5.3/selenium-ie-driver-4.5.3.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.
Publish Date: 2023-10-15
URL: CVE-2023-5590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-5590
Release Date: 2023-10-15
Fix Resolution (org.seleniumhq.selenium:selenium-ie-driver): 4.14.1
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak "Cookie" headers to cross-origin redirect targets. When following a redirect to a different origin, the "propagatedHeaders()" method in "Redirect30xInterceptor.java" strips "Authorization" and "Proxy-Authorization" headers but does not strip the "Cookie" header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
Publish Date: 2026-06-05
URL: CVE-2026-45300
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-19
Fix Resolution: https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-2.15.0,https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-3.0.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - async-http-client-2.12.3.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/asynchttpclient/async-http-client/2.12.3/async-http-client-2.12.3.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set "(stripAuthorizationOnRedirect(true))" in the client config and avoid using Realm-based authentication with redirect following enabled. Note that "(stripAuthorizationOnRedirect(true))" alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following ("followRedirect(false)") and handle redirects manually with origin validation.
Publish Date: 2026-04-18
URL: CVE-2026-40490
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution (org.asynchttpclient:async-http-client): 2.14.5
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.84.Final/netty-handler-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The "SniHandler" can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the "SniHandler" to allocate 16MB of heap. The "SniHandler" class is a handler that waits for the TLS handshake to configure a "SslHandler" according to the indicated server name by the "ClientHello" record. For this matter it allocates a "ByteBuf" using the value defined in the "ClientHello" record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the "SslClientHelloHandler". This vulnerability has been fixed in version 4.1.94.Final.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-22
URL: CVE-2023-34462
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6mjq-h674-j845
Release Date: 2023-06-22
Fix Resolution (io.netty:netty-handler): 4.1.94.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling "DefaultHttpHeadesr.set" with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the "DefaultHttpHeaders.set(CharSequence, Iterator<?>)" call, into a "remove()" call, and call "add()" in a loop over the iterator of values.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-13
URL: CVE-2022-41915
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hh82-3pmq-7frp
Release Date: 2022-12-13
Fix Resolution: io.netty:netty-codec-http:4.1.86.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.84.Final/netty-common-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.84.Final/netty-common-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution (io.netty:netty-common): 4.1.115.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Use of Java's default temporary directory for file creation in "FileBackedOutputStream" in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution (com.google.guava:guava): 32.0.1-android
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.12.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.84.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1c4df5a2dad63eca1c6119afeeeffe013da8bd2d
Found in base branch: main
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, "HttpObjectDecoder" skips every byte for which "Character.isISOControl(b)" is "true" (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50020
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here