Search for packages
| purl | pkg:deb/debian/netty@1:3.2.6.Final-2 |
| Next non-vulnerable version | 1:4.1.48-7+deb12u2 |
| Latest non-vulnerable version | 1:4.1.48-7+deb12u2 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2uwj-t45x-8uf4
Aliases: CVE-2023-34462 GHSA-6mjq-h674-j845 |
Allocation of Resources Without Limits or Throttling Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. |
Affected by 6 other vulnerabilities. |
|
VCID-2v1s-fd7a-57fa
Aliases: CVE-2019-20445 GHSA-p2v9-g2qv-p635 |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) This advisory has been marked as a false positive. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-36k9-5vt3-7yd6
Aliases: CVE-2025-55163 GHSA-prj3-ccx8-p6x4 |
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. |
Affected by 0 other vulnerabilities. |
|
VCID-4qf3-39tb-vkcq
Aliases: CVE-2022-41915 GHSA-hh82-3pmq-7frp |
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. |
Affected by 6 other vulnerabilities. |
|
VCID-6ezr-6u34-8uhv
Aliases: CVE-2020-11612 GHSA-mm9x-g8pc-w292 |
Uncontrolled Resource Consumption The ZlibDecoders in Netty allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-87dy-43px-e7gv
Aliases: CVE-2021-37136 GHSA-grg4-wf29-r9vv |
Uncontrolled Resource Consumption The Bzip2 decompression decoder function does not allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack |
Affected by 6 other vulnerabilities. |
|
VCID-addw-cfsb-6uhy
Aliases: CVE-2024-29025 GHSA-5jpm-x58v-624v |
Netty's HttpPostRequestDecoder can OOM The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors |
Affected by 0 other vulnerabilities. |
|
VCID-ag7u-zdts-2qb1
Aliases: CVE-2021-43797 GHSA-wx5j-54mm-rqqq |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') This CVE has been marked as a False Positive and has been removed. |
Affected by 6 other vulnerabilities. |
|
VCID-bchk-2x6c-qyhm
Aliases: CVE-2015-2156 GHSA-xfv3-rrfm-f2rv |
Improper Input Validation Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. |
Affected by 20 other vulnerabilities. |
|
VCID-e6fc-vcux-hfad
Aliases: CVE-2025-58057 GHSA-3p8m-j85q-pgmj |
Netty's decoders vulnerable to DoS via zip bomb style attack With specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. |
Affected by 0 other vulnerabilities. |
|
VCID-fp37-7px7-g3g7
Aliases: CVE-2020-7238 GHSA-ff2w-cq2g-wv5f |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a `[space]Transfer-Encoding:chunked line`) and a later Content-Length header. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-fp7h-pcay-kfgj
Aliases: CVE-2021-37137 GHSA-9vjp-v76f-g363 |
Uncontrolled Resource Consumption The Snappy frame decoder function does not restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. |
Affected by 6 other vulnerabilities. |
|
VCID-geey-eavj-5uhp
Aliases: CVE-2019-16869 GHSA-p979-4mfw-53vg |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) This advisory has been marked as a false positive. |
Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-gfbf-t6cs-auh5
Aliases: CVE-2025-67735 GHSA-84h7-rjj3-6jx4 |
Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder The `io.netty.handler.codec.http.HttpRequestEncoder` CRLF injection with the request uri when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the uri. |
Affected by 0 other vulnerabilities. |
|
VCID-h4ay-cgr4-4bdb
Aliases: CVE-2021-21290 GHSA-5mcr-gq6c-3hq2 |
This advisory has been marked as False Positive and moved to `netty-codec-http`, `netty-handler` and `netty-common`. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-h98v-8fr5-e7a7
Aliases: CVE-2021-21295 CVE-2021-21409 GHSA-f256-j965-7f32 GHSA-wm47-8v5p-wjpj |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) If a `Content-Length` header is present in the original `HTTP/2` request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-r4xe-h69g-vfhk
Aliases: CVE-2022-41881 GHSA-fx2c-96vj-985v |
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. |
Affected by 6 other vulnerabilities. |
|
VCID-tdx9-auyq-sugr
Aliases: CVE-2025-58056 GHSA-fghv-69vj-qj49 |
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some reverse proxies. |
Affected by 0 other vulnerabilities. |
|
VCID-w796-37e6-xuag
Aliases: CVE-2025-59419 GHSA-jq43-27x9-3v86 |
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications. |
Affected by 0 other vulnerabilities. |
|
VCID-wtb2-m2jk-eqc2
Aliases: CVE-2016-4970 GHSA-rv63-gqm8-9w8q |
Infinite Loop for SSL Handler This advisory has been marked as a false positive. |
Affected by 20 other vulnerabilities. |
|
VCID-xu2d-s4v6-17ah
Aliases: CVE-2019-20444 GHSA-cqqj-4p63-rrmm |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) This advisory has been marked as a false positive. |
Affected by 20 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-y4a2-mamb-yqg6
Aliases: CVE-2023-44487 GHSA-2m7v-gc89-fjqf GHSA-qppj-fm5r-hxr3 GHSA-vx74-f528-fxqg GHSA-xpw8-rcwv-8f8p GMS-2023-3377 VSV00013 |
False Positive The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||