Search for packages
| purl | pkg:maven/io.netty/netty-codec-http2@4.1.47.Final |
| Next non-vulnerable version | 4.1.100.Final |
| Latest non-vulnerable version | 4.1.100.Final |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-jfp9-8vq3-zyfs
Aliases: GHSA-xpw8-rcwv-8f8p GMS-2023-3377 |
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ |
Affected by 0 other vulnerabilities. |
|
VCID-qfeu-57ke-gket
Aliases: CVE-2021-21295 GHSA-wm47-8v5p-wjpj |
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:51:26.576160+00:00 | GitLab Importer | Affected by | VCID-jfp9-8vq3-zyfs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/GMS-2023-3377.yml | 37.0.0 |
| 2025-07-03T17:55:25.535670+00:00 | GitLab Importer | Affected by | VCID-qfeu-57ke-gket | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/CVE-2021-21295.yml | 37.0.0 |
| 2025-07-03T17:51:05.155131+00:00 | GHSA Importer | Affected by | VCID-jfp9-8vq3-zyfs | https://github.com/advisories/GHSA-xpw8-rcwv-8f8p | 37.0.0 |