DoS Via Malformed URL with Reactor Netty HTTP Server

Vulnerability

Overview CVE-2020-5403 affects Reactor Netty HttpServer versions 0.9.3 and 0.9.4. The vulnerability arises when the server encounters a URISyntaxException while parsing an incoming HTTP request. Instead of properly handling the error by sending a 400 Bad Request response, the server prematurely closes the connection, leading to an incomplete or failed request handling [1].

Exploitation

Scenario An attacker can exploit this issue by sending specially crafted HTTP requests with malformed URIs to the vulnerable server. The attack does not require authentication, as it targets the request parsing phase before any access control is applied. The attacker must be able to send requests to the server, which is typically possible over the network if the server is exposed.

Impact

The immediate impact is that clients receive a connection close instead of a proper error response, which can disrupt normal client-server communication. This behavior can be leveraged to cause a denial of service by repeatedly sending malformed requests, exhausting server resources or confusing client-side logic that expects a valid HTTP response.

Mitigation

The issue is resolved in later versions of Reactor Netty. Users running versions 0.9.3 or 0.9.4 should upgrade to a patched version (e.g., 0.9.5 or higher) to ensure proper error responses and connection handling [1]. No workarounds are documented, so upgrading is the recommended course of action.