VulnerableCode Package Details - pkg:maven/io.netty/netty-codec-http2@4.1.61.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-jfp9-8vq3-zyfs Aliases: GHSA-xpw8-rcwv-8f8p GMS-2023-3377	io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/	4.1.100.Final Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jfp9-8vq3-zyfs
Aliases:
GHSA-xpw8-rcwv-8f8p
GMS-2023-3377

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/

4.1.100.Final
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7acq-cfm6-xkcp	Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.	CVE-2021-21409 GHSA-f256-j965-7f32

Vulnerability

Summary

Aliases

VCID-7acq-cfm6-xkcp

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CVE-2021-21409
GHSA-f256-j965-7f32

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:51:26.606645+00:00	GitLab Importer	Affected by	VCID-jfp9-8vq3-zyfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/GMS-2023-3377.yml	37.0.0
2025-07-03T17:51:05.183873+00:00	GHSA Importer	Affected by	VCID-jfp9-8vq3-zyfs	https://github.com/advisories/GHSA-xpw8-rcwv-8f8p	37.0.0
2025-07-03T16:51:20.839316+00:00	GHSA Importer	Fixing	VCID-7acq-cfm6-xkcp	https://github.com/advisories/GHSA-f256-j965-7f32	37.0.0
2025-07-01T12:19:06.324411+00:00	GithubOSV Importer	Fixing	VCID-7acq-cfm6-xkcp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json	36.1.3