VYPR
← All advisories
High severityNVD Advisory· Published Nov 15, 2023· Updated Aug 29, 2024

CVE-2023-34062

CVE-2023-34062

Description

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.

Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal vulnerability in Reactor Netty HTTP Server allows attackers to read arbitrary files via specially crafted URL when serving static resources.

Vulnerability

Description

CVE-2023-34062 is a directory traversal vulnerability in the Reactor Netty HTTP Server, affecting versions 1.1.x prior to 1.1.13 and 1.0.x prior to 1.0.39. The issue occurs when the server is configured to serve static resources, allowing an attacker to craft a malicious URL that traverses directories outside the intended root directory [2][4].

Exploitation

Conditions

An attacker can exploit this vulnerability by sending a specially crafted HTTP request with path traversal sequences (e.g., ../) to the affected server. No authentication is required, and the attack can be launched remotely over the network with low complexity, as indicated by the CVSS vector (AV:N/AC:L/PR:N) [2][4].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server's file system, potentially exposing sensitive information such as configuration files, credentials, or application source code. The confidentiality impact is high, while integrity and availability are not affected [2][4].

Mitigation

The vulnerability has been fixed in Reactor Netty versions 1.1.13 and 1.0.39. Users running affected versions should upgrade immediately. No workarounds are available [4].

References
  1. NVD - CVE-2023-34062
  2. CVE-2023-34062: Directory Traversal in Reactor Netty HTTP Server

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.projectreactor.netty:reactor-netty-httpMaven
>= 1.1.0, < 1.1.131.1.13
io.projectreactor.netty:reactor-netty-httpMaven
>= 1.0.0, < 1.0.391.0.39

Affected products

141

Patches

1
b1dd46b9a424

[chores] 'static' modifier out of order

https://github.com/reactor/reactor-nettyVioleta GeorgievaOct 31, 2023via ghsa
commit
20 files changed · +70 62
  • reactor-netty-core/src/main/java/reactor/netty/ByteBufFlux.java+4 4 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2021 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2011-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -350,7 +350,7 @@ static ByteBufFlux maybeFuse(Flux<ByteBuf> source, ByteBufAllocator allocator) {
 	/**
 	 * A channel object to {@link ByteBuf} transformer
 	 */
-	final static Function<Object, ByteBuf> bytebufExtractor = o -> {
+	static final Function<Object, ByteBuf> bytebufExtractor = o -> {
 		if (o instanceof ByteBuf) {
 			return (ByteBuf) o;
 		}
@@ -363,9 +363,9 @@ static ByteBufFlux maybeFuse(Flux<ByteBuf> source, ByteBufAllocator allocator) {
 		throw new IllegalArgumentException("Object " + o + " of type " + o.getClass() + " " + "cannot be converted to ByteBuf");
 	};
 
-	final static int MAX_CHUNK_SIZE = 1024 * 512; //500k
+	static final int MAX_CHUNK_SIZE = 1024 * 512; //500k
 
-	final static Logger log = Loggers.getLogger(ByteBufFlux.class);
+	static final Logger log = Loggers.getLogger(ByteBufFlux.class);
 
 	static void safeRelease(ByteBuf byteBuf) {
 		if (byteBuf.refCnt() > 0) {
  • reactor-netty-core/src/main/java/reactor/netty/FutureMono.java+4 4 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2021 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2011-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -70,7 +70,7 @@ public static <F extends Future<Void>> Mono<Void> deferFuture(Supplier<F> deferr
 		return new DeferredFutureMono<>(deferredFuture);
 	}
 
-	final static class ImmediateFutureMono<F extends Future<Void>> extends FutureMono {
+	static final class ImmediateFutureMono<F extends Future<Void>> extends FutureMono {
 
 		final F future;
 
@@ -84,7 +84,7 @@ public void subscribe(final CoreSubscriber<? super Void> s) {
 		}
 	}
 
-	final static class DeferredFutureMono<F extends Future<Void>> extends FutureMono {
+	static final class DeferredFutureMono<F extends Future<Void>> extends FutureMono {
 
 		final Supplier<F> deferredFuture;
 
@@ -151,7 +151,7 @@ static <F extends Future<Void>> void doSubscribe(CoreSubscriber<? super Void> s,
 		}
 	}
 
-	final static class FutureSubscription<F extends Future<Void>>
+	static final class FutureSubscription<F extends Future<Void>>
 			implements GenericFutureListener<F>, Subscription, Supplier<Context> {
 
 		final CoreSubscriber<? super Void> s;
  • reactor-netty-core/src/main/java/reactor/netty/ReactorNetty.java+7 7 modified
    @@ -792,7 +792,7 @@ public Mono<Void> then() {
 		}
 	}
 
-	final static class OutboundIdleStateHandler extends IdleStateHandler {
+	static final class OutboundIdleStateHandler extends IdleStateHandler {
 
 		final Runnable onWriteIdle;
 
@@ -811,7 +811,7 @@ protected void channelIdle(ChannelHandlerContext ctx,
 		}
 	}
 
-	final static class InboundIdleStateHandler extends IdleStateHandler {
+	static final class InboundIdleStateHandler extends IdleStateHandler {
 
 		final Runnable onReadIdle;
 
@@ -830,35 +830,35 @@ protected void channelIdle(ChannelHandlerContext ctx,
 		}
 	}
 
-	final static ConnectionObserver.State CONNECTED = new ConnectionObserver.State() {
+	static final ConnectionObserver.State CONNECTED = new ConnectionObserver.State() {
 		@Override
 		public String toString() {
 			return "[connected]";
 		}
 	};
 
-	final static ConnectionObserver.State ACQUIRED = new ConnectionObserver.State() {
+	static final ConnectionObserver.State ACQUIRED = new ConnectionObserver.State() {
 		@Override
 		public String toString() {
 			return "[acquired]";
 		}
 	};
 
-	final static ConnectionObserver.State CONFIGURED = new ConnectionObserver.State() {
+	static final ConnectionObserver.State CONFIGURED = new ConnectionObserver.State() {
 		@Override
 		public String toString() {
 			return "[configured]";
 		}
 	};
 
-	final static ConnectionObserver.State RELEASED = new ConnectionObserver.State() {
+	static final ConnectionObserver.State RELEASED = new ConnectionObserver.State() {
 		@Override
 		public String toString() {
 			return "[released]";
 		}
 	};
 
-	final static ConnectionObserver.State DISCONNECTING = new ConnectionObserver.State() {
+	static final ConnectionObserver.State DISCONNECTING = new ConnectionObserver.State() {
 		@Override
 		public String toString() {
 			return "[disconnecting]";
  • reactor-netty-core/src/main/java/reactor/netty/resources/NewConnectionProvider.java+3 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2022 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2018-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,9 +51,9 @@
  */
 final class NewConnectionProvider implements ConnectionProvider {
 
-	final static Logger log = Loggers.getLogger(NewConnectionProvider.class);
+	static final Logger log = Loggers.getLogger(NewConnectionProvider.class);
 
-	final static NewConnectionProvider INSTANCE = new NewConnectionProvider();
+	static final NewConnectionProvider INSTANCE = new NewConnectionProvider();
 
 	@Override
 	public Mono<? extends Connection> acquire(TransportConfig config,
  • reactor-netty-core/src/main/java/reactor/netty/resources/PooledConnectionProvider.java+1 1 modified
    @@ -76,7 +76,7 @@ public abstract class PooledConnectionProvider<T extends Connection> implements
 	/**
 	 * Context key used to propagate the caller event loop in the connection pool subscription.
 	 */
-	protected final static String CONTEXT_CALLER_EVENTLOOP = "callereventloop";
+	protected static final String CONTEXT_CALLER_EVENTLOOP = "callereventloop";
 
 	final PoolFactory<T> defaultPoolFactory;
 	final Map<SocketAddress, PoolFactory<T>> poolFactoryPerRemoteHost = new HashMap<>();
  • reactor-netty-core/src/main/java/reactor/netty/transport/MicrometerEventLoopMeterRegistrar.java+2 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2022 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2021-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,7 +39,7 @@
 final class MicrometerEventLoopMeterRegistrar {
 	static final String PENDING_TASKS_DESCRIPTION = "Event loop pending scheduled tasks.";
 
-	final static MicrometerEventLoopMeterRegistrar INSTANCE = new MicrometerEventLoopMeterRegistrar();
+	static final MicrometerEventLoopMeterRegistrar INSTANCE = new MicrometerEventLoopMeterRegistrar();
 
 	private final ConcurrentMap<String, EventLoop> cache = new ConcurrentHashMap<>();
  • reactor-netty-core/src/test/java/reactor/netty/resources/PooledConnectionProviderCustomMetricsTest.java+3 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2022 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2020-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,9 +50,9 @@ class PooledConnectionProviderCustomMetricsTest {
 
 	private ConnectionProvider pool;
 
-	private final static int MAX_ALLOC_SIZE = 100;
+	private static final int MAX_ALLOC_SIZE = 100;
 
-	private final static int MAX_PENDING_ACQUIRE_SIZE = 1000;
+	private static final int MAX_PENDING_ACQUIRE_SIZE = 1000;
 
 	@BeforeEach
 	void setUp() {
  • reactor-netty-http/src/main/java/reactor/netty/http/client/FailedHttpClientRequest.java+2 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2020-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -157,5 +157,5 @@ public HttpVersion version() {
 		return HttpVersion.HTTP_1_1;
 	}
 
-	final static String[] EMPTY = new String[0];
+	static final String[] EMPTY = new String[0];
 }
  • reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientOperations.java+1 1 modified
    @@ -124,7 +124,7 @@ class HttpClientOperations extends HttpOperations<NettyInbound, NettyOutbound>
 	BiConsumer<HttpHeaders, HttpClientRequest> redirectRequestBiConsumer;
 	volatile Throwable unprocessedOutboundError;
 
-	final static String INBOUND_CANCEL_LOG = "Http client inbound receiver cancelled, closing channel.";
+	static final String INBOUND_CANCEL_LOG = "Http client inbound receiver cancelled, closing channel.";
 
 	HttpClientOperations(HttpClientOperations replaced) {
 		super(replaced);
  • reactor-netty-http/src/main/java/reactor/netty/http/client/MicrometerHttpClientMetricsRecorder.java+2 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2022 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2019-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@
  */
 final class MicrometerHttpClientMetricsRecorder extends MicrometerHttpMetricsRecorder implements HttpClientMetricsRecorder {
 
-	final static MicrometerHttpClientMetricsRecorder INSTANCE = new MicrometerHttpClientMetricsRecorder();
+	static final MicrometerHttpClientMetricsRecorder INSTANCE = new MicrometerHttpClientMetricsRecorder();
 
 	private MicrometerHttpClientMetricsRecorder() {
 		super(HTTP_CLIENT_PREFIX, "http");
  • reactor-netty-http/src/main/java/reactor/netty/http/client/UriEndpointFactory.java+11 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2021 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2017-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@ final class UriEndpointFactory {
 
 	static final Pattern URL_PATTERN = Pattern.compile(
 			"(?:(\\w+)://)?((?:\\[.+?])|(?<!\\[)(?:[^/?]+?))(?::(\\d{2,5}))?([/?].*)?");
+	static final Pattern SCHEME_PATTERN = Pattern.compile("https?|wss?");
 
 	UriEndpointFactory(Supplier<? extends SocketAddress> connectAddress, boolean defaultSecure,
 			BiFunction<String, Integer, InetSocketAddress> inetSocketAddressFunction) {
@@ -52,7 +53,7 @@ UriEndpoint createUriEndpoint(String url, boolean isWs, Supplier<? extends Socke
 			Matcher matcher = URL_PATTERN.matcher(url);
 			if (matcher.matches()) {
 				// scheme is optional in pattern. use default if it's not specified
-				String scheme = matcher.group(1) != null ? matcher.group(1).toLowerCase()
+				String scheme = matcher.group(1) != null ? validateScheme(matcher.group(1).toLowerCase())
 						: resolveScheme(isWs);
 				String host = cleanHostString(matcher.group(2));
 
@@ -77,7 +78,7 @@ UriEndpoint createUriEndpoint(URI url, boolean isWs) {
 		if (url.getHost() == null) {
 			throw new IllegalArgumentException("Host is not specified");
 		}
-		String scheme = url.getScheme() != null ? url.getScheme().toLowerCase() : resolveScheme(isWs);
+		String scheme = url.getScheme() != null ? validateScheme(url.getScheme().toLowerCase()) : resolveScheme(isWs);
 		String host = cleanHostString(url.getHost());
 		int port = url.getPort() != -1 ? url.getPort() : (UriEndpoint.isSecureScheme(scheme) ? 443 : 80);
 		String path = url.getRawPath() != null ? url.getRawPath() : "";
@@ -132,4 +133,11 @@ String resolveScheme(boolean isWs) {
 			return defaultSecure ? HttpClient.HTTPS_SCHEME : HttpClient.HTTP_SCHEME;
 		}
 	}
+
+	static String validateScheme(String scheme) {
+		if (!SCHEME_PATTERN.matcher(scheme).matches()) {
+			throw new IllegalArgumentException("Invalid scheme [" + scheme + "]");
+		}
+		return scheme;
+	}
 }
  • reactor-netty-http/src/main/java/reactor/netty/http/client/WebsocketClientOperations.java+1 1 modified
    @@ -60,7 +60,7 @@ final class WebsocketClientOperations extends HttpClientOperations
 
 	volatile int closeSent;
 
-	final static String INBOUND_CANCEL_LOG = "WebSocket client inbound receiver cancelled, closing Websocket.";
+	static final String INBOUND_CANCEL_LOG = "WebSocket client inbound receiver cancelled, closing Websocket.";
 
 	WebsocketClientOperations(URI currentURI,
 			WebsocketClientSpec websocketClientSpec,
  • reactor-netty-http/src/main/java/reactor/netty/http/Cookies.java+4 4 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2021 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2011-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -63,9 +63,9 @@ public static Cookies newServerRequestHolder(HttpHeaders headers, ServerCookieDe
 	}
 
 
-	final static int NOT_READ = 0;
-	final static int READING  = 1;
-	final static int READ     = 2;
+	static final int NOT_READ = 0;
+	static final int READING  = 1;
+	static final int READ     = 2;
 
 	final HttpHeaders   nettyHeaders;
 	final CharSequence  cookiesHeaderName;
  • reactor-netty-http/src/main/java/reactor/netty/http/HttpOperations.java+2 2 modified
    @@ -443,11 +443,11 @@ HttpMessage prepareHttpMessage(ByteBuf buffer) {
 	}
 
 	@SuppressWarnings("rawtypes")
-	final static AtomicIntegerFieldUpdater<HttpOperations> HTTP_STATE =
+	static final AtomicIntegerFieldUpdater<HttpOperations> HTTP_STATE =
 			AtomicIntegerFieldUpdater.newUpdater(HttpOperations.class,
 					"statusAndHeadersSent");
 
-	final static ChannelInboundHandler HTTP_EXTRACTOR = NettyPipeline.inboundHandler(
+	static final ChannelInboundHandler HTTP_EXTRACTOR = NettyPipeline.inboundHandler(
 			(ctx, msg) -> {
 				if (msg instanceof ByteBufHolder) {
 					if (msg instanceof FullHttpMessage) {
  • reactor-netty-http/src/main/java/reactor/netty/http/server/HttpServerOperations.java+2 2 modified
    @@ -1003,11 +1003,11 @@ public Context currentContext() {
 	}
 
 	static final Logger log = Loggers.getLogger(HttpServerOperations.class);
-	final static AsciiString      EVENT_STREAM = new AsciiString("text/event-stream");
+	static final AsciiString      EVENT_STREAM = new AsciiString("text/event-stream");
 
 	static final BiPredicate<HttpServerRequest, HttpServerResponse> COMPRESSION_DISABLED = (req, res) -> false;
 
-	final static FullHttpResponse CONTINUE     =
+	static final FullHttpResponse CONTINUE     =
 			new DefaultFullHttpResponse(HttpVersion.HTTP_1_1,
 					HttpResponseStatus.CONTINUE,
 					EMPTY_BUFFER);
  • reactor-netty-http/src/main/java/reactor/netty/http/server/MicrometerHttpServerMetricsRecorder.java+5 5 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2022 VMware, Inc. or its affiliates, All Rights Reserved.
+ * Copyright (c) 2019-2023 VMware, Inc. or its affiliates, All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,10 +51,10 @@
  */
 final class MicrometerHttpServerMetricsRecorder extends MicrometerHttpMetricsRecorder implements HttpServerMetricsRecorder {
 
-	final static MicrometerHttpServerMetricsRecorder INSTANCE = new MicrometerHttpServerMetricsRecorder();
-	private final static String PROTOCOL_VALUE_HTTP = "http";
-	private final static String ACTIVE_CONNECTIONS_DESCRIPTION = "The number of http connections currently processing requests";
-	private final static String ACTIVE_STREAMS_DESCRIPTION = "The number of HTTP/2 streams currently active on the server";
+	static final MicrometerHttpServerMetricsRecorder INSTANCE = new MicrometerHttpServerMetricsRecorder();
+	private static final String PROTOCOL_VALUE_HTTP = "http";
+	private static final String ACTIVE_CONNECTIONS_DESCRIPTION = "The number of http connections currently processing requests";
+	private static final String ACTIVE_STREAMS_DESCRIPTION = "The number of HTTP/2 streams currently active on the server";
 	private final LongAdder activeConnectionsAdder = new LongAdder();
 	private final LongAdder activeStreamsAdder = new LongAdder();
 	private final ConcurrentMap<String, LongAdder> activeConnectionsCache = new ConcurrentHashMap<>();
  • reactor-netty-http/src/main/java/reactor/netty/http/server/WebsocketServerOperations.java+1 1 modified
    @@ -65,7 +65,7 @@ final class WebsocketServerOperations extends HttpServerOperations
 
 	volatile int closeSent;
 
-	final static String INBOUND_CANCEL_LOG = "WebSocket server inbound receiver cancelled, closing Websocket.";
+	static final String INBOUND_CANCEL_LOG = "WebSocket server inbound receiver cancelled, closing Websocket.";
 
 	@SuppressWarnings("FutureReturnValueIgnored")
 	WebsocketServerOperations(String wsUrl, WebsocketServerSpec websocketServerSpec, HttpServerOperations replaced) {
  • reactor-netty-http/src/test/java/reactor/netty/http/Http2Tests.java+4 4 modified
    @@ -66,15 +66,15 @@
  * @since 1.0.0
  */
 class Http2Tests extends BaseHttpTest {
-	private final static String H2_WITHOUT_TLS_SERVER = "Configured H2 protocol without TLS. Use" +
+	private static final String H2_WITHOUT_TLS_SERVER = "Configured H2 protocol without TLS. Use" +
 			" a Clear-Text H2 protocol via HttpServer#protocol or configure TLS" +
 			" via HttpServer#secure";
-	private final static String H2C_WITH_TLS_SERVER = "Configured H2 Clear-Text protocol with TLS. Use" +
+	private static final String H2C_WITH_TLS_SERVER = "Configured H2 Clear-Text protocol with TLS. Use" +
 			" the non Clear-Text H2 protocol via HttpServer#protocol or disable TLS" +
 			" via HttpServer#noSSL())";
-	private final static String H2_WITHOUT_TLS_CLIENT = "Configured H2 protocol without TLS. Use H2 Clear-Text " +
+	private static final String H2_WITHOUT_TLS_CLIENT = "Configured H2 protocol without TLS. Use H2 Clear-Text " +
 			"protocol via HttpClient#protocol or configure TLS via HttpClient#secure";
-	private final static String H2C_WITH_TLS_CLIENT = "Configured H2 Clear-Text protocol with TLS. " +
+	private static final String H2C_WITH_TLS_CLIENT = "Configured H2 Clear-Text protocol with TLS. " +
 			"Use the non Clear-Text H2 protocol via HttpClient#protocol or disable TLS " +
 			"via HttpClient#noSSL()";
  • reactor-netty-http/src/test/java/reactor/netty/http/HttpMetricsHandlerTests.java+4 4 modified
    @@ -1578,8 +1578,8 @@ public void recordResolveAddressTime(SocketAddress socketAddress, Duration durat
 	 * Metrics are up-to-date when the latch is counted down.
 	 */
 	static final class ResponseSentHandler extends ChannelOutboundHandlerAdapter {
-		final static String HANDLER_NAME = "ServerCompletedHandler.handler";
-		final static ResponseSentHandler INSTANCE = new ResponseSentHandler();
+		static final String HANDLER_NAME = "ServerCompletedHandler.handler";
+		static final ResponseSentHandler INSTANCE = new ResponseSentHandler();
 		AtomicReference<CountDownLatch> latchRef;
 
 		void register(AtomicReference<CountDownLatch> latchRef, ChannelPipeline pipeline) {
@@ -1613,8 +1613,8 @@ public boolean isSharable() {
 	 * Metrics are up-to-date when the latch is counted down.
 	 */
 	static final class RequestReceivedHandler extends ChannelInboundHandlerAdapter {
-		final static RequestReceivedHandler INSTANCE = new RequestReceivedHandler();
-		final static String HANDLER_NAME = "ServerReceivedHandler.handler";
+		static final RequestReceivedHandler INSTANCE = new RequestReceivedHandler();
+		static final String HANDLER_NAME = "ServerReceivedHandler.handler";
 		AtomicReference<CountDownLatch> latchRef;
 
 		void register(AtomicReference<CountDownLatch> latchRef, ChannelPipeline pipeline) {
  • reactor-netty-http/src/test/java/reactor/netty/http/server/HttpServerTests.java+7 7 modified
    @@ -180,8 +180,8 @@ class HttpServerTests extends BaseHttpTest {
 	 * Server Handler used to send a TLS close_notify after the server last response has been flushed.
 	 * The close_notify is sent without closing the connection.
 	 */
-	final static class SendCloseNotifyAfterLastResponseHandler extends ChannelOutboundHandlerAdapter {
-		final static String NAME = "handler.send_close_notify_after_response";
+	static final class SendCloseNotifyAfterLastResponseHandler extends ChannelOutboundHandlerAdapter {
+		static final String NAME = "handler.send_close_notify_after_response";
 		final CountDownLatch latch;
 
 		SendCloseNotifyAfterLastResponseHandler(CountDownLatch latch) {
@@ -212,8 +212,8 @@ public void write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise)
 	 * any received SslCloseCompletionEvent events. Hence, ChannelOperationsHandler won't get the close_notify ack,
 	 * and won't close the channel.
 	 */
-	final static class IgnoreCloseNotifyHandler extends ChannelInboundHandlerAdapter {
-		final static String NAME = "handler.ignore_close_notify";
+	static final class IgnoreCloseNotifyHandler extends ChannelInboundHandlerAdapter {
+		static final String NAME = "handler.ignore_close_notify";
 
 		static void register(Connection cnx) {
 			cnx.channel().pipeline().addBefore(NettyPipeline.ReactiveBridge, NAME, new IgnoreCloseNotifyHandler());
@@ -231,9 +231,9 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
 	 * Handler used to delay a bit outgoing HTTP/2 server responses. This handler will be placed
 	 * at the head of the server channel pipeline.
 	 */
-	final static class DelayH2FlushHandler extends ChannelOutboundHandlerAdapter {
-		final static String NAME = "handler.h2flush_delay";
-		final static DelayH2FlushHandler INSTANCE = new DelayH2FlushHandler();
+	static final class DelayH2FlushHandler extends ChannelOutboundHandlerAdapter {
+		static final String NAME = "handler.h2flush_delay";
+		static final DelayH2FlushHandler INSTANCE = new DelayH2FlushHandler();
 
 		static void register(Connection cnx) {
 			Channel channel = cnx.channel();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.