Vulnerable Library - sts-2.25.64.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.109.Final/netty-codec-4.1.109.Final.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (sts version) |
Remediation Possible** |
| CVE-2026-44249 |
 High |
8.1 |
netty-handler-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-50010 |
High |
7.5 |
netty-handler-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-45416 |
High |
7.5 |
netty-handler-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42587 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
2.27.21 |
❌ |
| CVE-2026-42583 |
High |
7.5 |
netty-codec-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2026-33871 |
High |
7.5 |
netty-codec-http2-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-33870 |
High |
7.5 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-55163 |
High |
7.5 |
netty-codec-http2-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2025-24970 |
High |
7.5 |
netty-handler-4.1.109.Final.jar |
Transitive |
2.25.65 |
❌ |
| CVE-2026-42584 |
High |
7.3 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2026-42585 |
 Medium |
6.5 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2026-42580 |
Medium |
6.5 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2025-67735 |
Medium |
6.5 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-42581 |
Medium |
5.8 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2025-25193 |
Medium |
5.5 |
netty-common-4.1.109.Final.jar |
Transitive |
2.25.65 |
❌ |
| CVE-2024-47535 |
Medium |
5.5 |
netty-common-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2026-50560 |
Medium |
5.3 |
netty-codec-http2-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-50020 |
Medium |
5.3 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-48043 |
Medium |
5.3 |
netty-codec-http2-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-47244 |
Medium |
5.3 |
netty-codec-http2-4.1.109.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-41417 |
Medium |
5.3 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
| CVE-2025-58057 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
2.27.21 |
❌ |
| CVE-2025-58056 |
Medium |
5.3 |
netty-codec-http-4.1.109.Final.jar |
Transitive |
2.27.21 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-44249
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-handler-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-11
URL: CVE-2026-44249
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-50010
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-handler-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-45416
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-handler-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates "ctx.alloc().buffer(handshakeLength)" (line 161). The guard at line 140 is "handshakeLength > maxClientHelloLength && maxClientHelloLength != 0", and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-45416
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-42587
Vulnerable Libraries - netty-codec-http-4.1.109.Final.jar, netty-codec-http2-4.1.109.Final.jar
netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f6hv-jmp6-3vwv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Fix Resolution (io.netty:netty-codec-http2): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.109.Final/netty-codec-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-codec-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2026-33871
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.11.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of "CONTINUATION" frames. The server's lack of a limit on the number of "CONTINUATION" frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.11.Final fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-27
URL: CVE-2026-33871
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/netty/netty.git - netty-4.1.132.Final,https://github.com/netty/netty.git - netty-4.2.11.Final
Step up your Open Source Security Game with Mend here
CVE-2026-33870
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
Step up your Open Source Security Game with Mend here
CVE-2025-55163
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Publish Date: 2025-08-13
URL: CVE-2025-55163
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-13
Fix Resolution (io.netty:netty-codec-http2): 4.1.124.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2025-24970
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-handler-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-handler): 4.1.118.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
CVE-2026-42584
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2026-42585
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2026-42580
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2025-67735
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
Step up your Open Source Security Game with Mend here
CVE-2026-42581
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2025-25193
Vulnerable Library - netty-common-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.109.Final/netty-common-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-common-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
CVE-2024-47535
Vulnerable Library - netty-common-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.109.Final/netty-common-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- netty-codec-http-4.1.109.Final.jar
- ❌ netty-common-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution (io.netty:netty-common): 4.1.115.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
CVE-2026-50560
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called "SETTINGS_MAX_HEADER_LIST_SIZE". When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50560
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-50020
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, "HttpObjectDecoder" skips every byte for which "Character.isISOControl(b)" is "true" (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50020
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-48043
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the "DelegatingDecompressorFrameListener" class orchestrates HTTP/2 decompression by embedding a per-stream "EmbeddedChannel" that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled "ByteBuf" handed to an anonymous "ChannelInboundHandlerAdapter" tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-48043
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-47244
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http2-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-47244
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-41417
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
- sts-2.25.64.jar (Root Library)
- netty-nio-client-2.25.64.jar
- ❌ netty-codec-http-4.1.109.Final.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty allows request-line validation to be bypassed when a "DefaultHttpRequest" or "DefaultFullHttpRequest" is created first and its URI is later changed via "setUri()". The constructors reject CRLF and whitespace characters that would break the start-line, but "setUri()" does not apply the same validation. "HttpRequestEncoder" and "RtspEncoder" then write the URI into the request line verbatim. If attacker-controlled input reaches "setUri()", this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-06
URL: CVE-2026-41417
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v8h7-rr48-vmmv
Release Date: 2026-05-05
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.109.Final/netty-codec-4.1.109.Final.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-11
URL: CVE-2026-44249
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates "ctx.alloc().buffer(handshakeLength)" (line 161). The guard at line 140 is "handshakeLength > maxClientHelloLength && maxClientHelloLength != 0", and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-45416
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - netty-codec-http-4.1.109.Final.jar, netty-codec-http2-4.1.109.Final.jar
netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42587
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f6hv-jmp6-3vwv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Fix Resolution (io.netty:netty-codec-http2): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.109.Final/netty-codec-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.11.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of "CONTINUATION" frames. The server's lack of a limit on the number of "CONTINUATION" frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.11.Final fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-27
URL: CVE-2026-33871
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/netty/netty.git - netty-4.1.132.Final,https://github.com/netty/netty.git - netty-4.2.11.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33870
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pwqr-wmgm-9rr8
Release Date: 2026-03-26
Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Publish Date: 2025-08-13
URL: CVE-2025-55163
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-08-13
Fix Resolution (io.netty:netty-codec-http2): 4.1.124.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-handler): 4.1.118.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42584
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42585
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38f8-5428-x5cv
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42580
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-67735
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42581
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.109.Final/netty-common-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.25.65
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.109.Final/netty-common-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution (io.netty:netty-common): 4.1.115.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called "SETTINGS_MAX_HEADER_LIST_SIZE". When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50560
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, "HttpObjectDecoder" skips every byte for which "Character.isISOControl(b)" is "true" (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50020
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the "DelegatingDecompressorFrameListener" class orchestrates HTTP/2 decompression by embedding a per-stream "EmbeddedChannel" that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled "ByteBuf" handed to an anonymous "ChannelInboundHandlerAdapter" tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-48043
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http2-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.109.Final/netty-codec-http2-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-47244
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-http-4.1.109.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Netty allows request-line validation to be bypassed when a "DefaultHttpRequest" or "DefaultFullHttpRequest" is created first and its URI is later changed via "setUri()". The constructors reject CRLF and whitespace characters that would break the start-line, but "setUri()" does not apply the same validation. "HttpRequestEncoder" and "RtspEncoder" then write the URI into the request line verbatim. If attacker-controlled input reaches "setUri()", this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-06
URL: CVE-2026-41417
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v8h7-rr48-vmmv
Release Date: 2026-05-05
Fix Resolution (io.netty:netty-codec-http): 4.1.133.Final
Direct dependency fix Resolution (software.amazon.awssdk:sts): 2.27.21
Step up your Open Source Security Game with Mend here