VulnerableCode Package Details - pkg:maven/io.netty/netty-codec-haproxy@4.1.38.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-qruf-r6dc-3ugj Aliases: CVE-2022-41881 GHSA-fx2c-96vj-985v	HAProxyMessageDecoder Stack Exhaustion DoS ### Impact A StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. ### Patches Users should upgrade to 4.1.86.Final. ### Workarounds There is no workaround, except using a custom HaProxyMessageDecoder. ### References When parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on. The only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type. Providing a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError. The StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash. ### For more information If you have any questions or comments about this advisory: * Open an issue in [netty](https://github.com/netty/netty)	4.1.86.Final Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-qruf-r6dc-3ugj
Aliases:
CVE-2022-41881
GHSA-fx2c-96vj-985v

HAProxyMessageDecoder Stack Exhaustion DoS ### Impact A StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. ### Patches Users should upgrade to 4.1.86.Final. ### Workarounds There is no workaround, except using a custom HaProxyMessageDecoder. ### References When parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on. The only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type. Providing a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError. The StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash. ### For more information If you have any questions or comments about this advisory: * Open an issue in [netty](https://github.com/netty/netty)

4.1.86.Final
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:17:53.964510+00:00	GitLab Importer	Affected by	VCID-qruf-r6dc-3ugj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-haproxy/CVE-2022-41881.yml	38.4.0
2026-04-11T23:35:23.978014+00:00	GitLab Importer	Affected by	VCID-qruf-r6dc-3ugj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-haproxy/CVE-2022-41881.yml	38.3.0
2026-04-02T23:40:02.526281+00:00	GitLab Importer	Affected by	VCID-qruf-r6dc-3ugj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-haproxy/CVE-2022-41881.yml	38.1.0
2026-04-01T18:02:32.030093+00:00	GitLab Importer	Affected by	VCID-qruf-r6dc-3ugj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-haproxy/CVE-2022-41881.yml	38.0.0