VYPR
High severityNVD Advisory· Published Aug 13, 2025· Updated Nov 4, 2025

Netty MadeYouReset HTTP/2 DDoS Vulnerability

CVE-2025-55163

Description

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.netty:netty-codec-http2Maven
>= 4.2.0.Alpha1, < 4.2.4.Final4.2.4.Final
io.netty:netty-codec-http2Maven
< 4.1.124.Final4.1.124.Final
io.grpc:grpc-netty-shadedMaven
< 1.75.01.75.0

Affected products

340

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.