Maven package
io.netty/netty-codec-http2
pkg:maven/io.netty/netty-codec-http2
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42587 | Hig | 7.5 | >= 4.2.0.Alpha1, < 4.2.13.Final | 4.2.13.Final | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for | |
| CVE-2026-33871 | — | < 4.1.132.Final | 4.1.132.Final | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o | ||
| CVE-2025-55163 | — | >= 4.2.0.Alpha1, < 4.2.4.Final | 4.2.4.Final | Aug 13, 2025 | Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the | ||
| CVE-2021-21409 | — | >= 4.0.0, < 4.1.61.Final | 4.1.61.Final | Mar 30, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smug | ||
| CVE-2021-21295 | — | >= 4.0.0, < 4.1.60.Final | 4.1.60.Final | Mar 9, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug |
- affected >= 4.2.0.Alpha1, < 4.2.13.Finalfixed 4.2.13.Final
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
- CVE-2026-33871Mar 27, 2026affected < 4.1.132.Finalfixed 4.1.132.Final
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
- CVE-2025-55163Aug 13, 2025affected >= 4.2.0.Alpha1, < 4.2.4.Finalfixed 4.2.4.Final
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
- CVE-2021-21409Mar 30, 2021affected >= 4.0.0, < 4.1.61.Finalfixed 4.1.61.Final
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smug
- CVE-2021-21295Mar 9, 2021affected >= 4.0.0, < 4.1.60.Finalfixed 4.1.60.Final
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug