Search for packages
| purl | pkg:maven/io.netty/netty-codec-http2@4.1.94.Final |
| Next non-vulnerable version | 4.1.100.Final |
| Latest non-vulnerable version | 4.1.100.Final |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-jfp9-8vq3-zyfs
Aliases: GHSA-xpw8-rcwv-8f8p GMS-2023-3377 |
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. ### Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. ### Patches This is patched in version 4.1.100.Final. ### Workarounds A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used). ### References - https://www.cve.org/CVERecord?id=CVE-2023-44487 - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:51:26.675164+00:00 | GitLab Importer | Affected by | VCID-jfp9-8vq3-zyfs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http2/GMS-2023-3377.yml | 37.0.0 |
| 2025-07-03T17:51:05.254690+00:00 | GHSA Importer | Affected by | VCID-jfp9-8vq3-zyfs | https://github.com/advisories/GHSA-xpw8-rcwv-8f8p | 37.0.0 |