Maven package
io.netty/netty-handler
pkg:maven/io.netty/netty-handler
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-24970 | — | >= 4.1.91.Final, < 4.1.118.Final | 4.1.118.Final | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas | ||
| CVE-2023-4586 | — | >= 4.1.0.Final, <= 4.1.99.Final | — | Oct 4, 2023 | A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. | ||
| CVE-2023-34462 | — | < 4.1.94.Final | 4.1.94.Final | Jun 22, 2023 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does | ||
| CVE-2020-11612 | — | >= 4.1.0, < 4.1.46 | 4.1.46 | Apr 7, 2020 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. | ||
| CVE-2019-20445 | — | >= 4.0.0, < 4.1.45 | 4.1.45 | Jan 29, 2020 | HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. | ||
| CVE-2020-7238 | — | >= 4.1.43, < 4.1.45 | 4.1.45 | Jan 27, 2020 | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | ||
| CVE-2016-4970 | Hig | 7.5 | >= 4.0.0.Alpha1, < 4.0.37.Final | 4.0.37.Final | Apr 13, 2017 | handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). | |
| CVE-2014-3488 | — | < 3.9.2 | 3.9.2 | Jul 31, 2014 | The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. |
- CVE-2025-24970Feb 10, 2025affected >= 4.1.91.Final, < 4.1.118.Finalfixed 4.1.118.Final
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
- CVE-2023-4586Oct 4, 2023affected >= 4.1.0.Final, <= 4.1.99.Final
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
- CVE-2023-34462Jun 22, 2023affected < 4.1.94.Finalfixed 4.1.94.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does
- CVE-2020-11612Apr 7, 2020affected >= 4.1.0, < 4.1.46fixed 4.1.46
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
- CVE-2019-20445Jan 29, 2020affected >= 4.0.0, < 4.1.45fixed 4.1.45
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
- CVE-2020-7238Jan 27, 2020affected >= 4.1.43, < 4.1.45fixed 4.1.45
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
- affected >= 4.0.0.Alpha1, < 4.0.37.Finalfixed 4.0.37.Final
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
- CVE-2014-3488Jul 31, 2014affected < 3.9.2fixed 3.9.2
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.