VulnerableCode Package Details - pkg:maven/io.netty/netty-codec-http2@4.1.100.Final

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jfp9-8vq3-zyfs	io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/	GHSA-xpw8-rcwv-8f8p GMS-2023-3377

Vulnerability

Summary

Aliases

VCID-jfp9-8vq3-zyfs

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/

GHSA-xpw8-rcwv-8f8p
GMS-2023-3377

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:51:26.686714+00:00	GitLab Importer	Fixing	VCID-jfp9-8vq3-zyfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/GMS-2023-3377.yml	37.0.0
2025-07-03T16:53:40.334140+00:00	GHSA Importer	Fixing	VCID-jfp9-8vq3-zyfs	https://github.com/advisories/GHSA-xpw8-rcwv-8f8p	37.0.0
2025-07-01T18:14:54.641467+00:00	GitLab Importer	Fixing	VCID-jfp9-8vq3-zyfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/GMS-2023-3377.yml	36.1.3
2025-07-01T12:13:38.536241+00:00	GithubOSV Importer	Fixing	VCID-jfp9-8vq3-zyfs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xpw8-rcwv-8f8p/GHSA-xpw8-rcwv-8f8p.json	36.1.3