VYPR

Vendor CVEs

Netty

All CVEs

64 total · sorted by risk
  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2026-47691HigJun 12, 2026
    risk 0.57cvss 8.7epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an…

  • CVE-2026-45674HigJun 12, 2026
    risk 0.57cvss 8.7epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and…

  • CVE-2026-44249HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid…

  • CVE-2026-48040CriJun 4, 2026
    risk 0.52cvss 9.1epss 0.00

    The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback…

  • CVE-2016-4970HigApr 13, 2017
    risk 0.50cvss 7.5epss 0.11

    handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

  • CVE-2026-50011HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That…

  • CVE-2026-50010HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in…

  • CVE-2026-48748HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version…

  • CVE-2026-48059HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid…

  • CVE-2026-48006HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array…

  • CVE-2026-46340HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId,…

  • CVE-2026-45416HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly…

  • CVE-2026-44894HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable),…

  • CVE-2026-44893HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex()…

  • CVE-2026-44892HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not…

  • CVE-2026-44890HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts…

  • CVE-2026-44250HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to…

  • CVE-2026-42587HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced…

  • CVE-2026-42583HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload…

  • CVE-2026-42582HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before…

  • CVE-2026-42579HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS…

  • CVE-2026-42578HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using…

  • CVE-2026-42584HigMay 13, 2026
    risk 0.47cvss 7.3epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the…

  • CVE-2026-45673MedJun 12, 2026
    risk 0.44cvss 6.8epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination…

  • CVE-2026-42586MedMay 13, 2026
    risk 0.44cvss 6.8epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n)…

  • CVE-2026-42585MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42580MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42577HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some…

  • CVE-2015-2156HigOct 18, 2017
    risk 0.42cvss 7.5epss 0.05

    Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper…

  • CVE-2026-42581MedMay 13, 2026
    risk 0.38cvss 5.8epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages.…

  • CVE-2026-48480MedJun 4, 2026
    risk 0.36cvss epss 0.00

    The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates.…

  • CVE-2026-50560MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification…

  • CVE-2026-50020MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F…

  • CVE-2026-48043MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream…

  • CVE-2026-47244MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts…

  • CVE-2026-41417MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does…

  • CVE-2026-50009MedJun 12, 2026
    risk 0.31cvss 4.8epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The…

  • CVE-2025-59419MedOct 15, 2025
    risk 0.29cvss epss 0.02

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n)…

  • CVE-2026-41207MedJun 4, 2026
    risk 0.27cvss 5.3epss 0.00

    The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for…

  • CVE-2026-44248MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is…

  • CVE-2025-29908MedMar 31, 2025
    risk 0.27cvss 5.3epss 0.01

    Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by…

  • CVE-2026-45536MedJun 12, 2026
    risk 0.26cvss 4.0epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent…

  • CVE-2026-33871Mar 27, 2026
    risk 0.00cvss epss 0.01

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit…

  • CVE-2026-33870Mar 27, 2026
    risk 0.00cvss epss 0.00

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final…

  • CVE-2025-67735Dec 16, 2025
    risk 0.00cvss epss 0.00

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling…

  • CVE-2025-58057Sep 3, 2025
    risk 0.00cvss epss 0.01

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with…

  • CVE-2025-58056Sep 3, 2025
    risk 0.00cvss epss 0.01

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a…

  • CVE-2025-55163Aug 13, 2025
    risk 0.00cvss epss 0.01

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break…

  • CVE-2025-25193Feb 10, 2025
    risk 0.00cvss epss 0.00

    Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty…

Page 1 of 2