VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-bx4g-w9et-87hx

Essentials
Severities (36)
References (21)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-bx4g-w9et-87hx
Aliases	CVE-2024-29025 GHSA-5jpm-x58v-624v
Summary	Netty's HttpPostRequestDecoder can OOM ### Summary The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors ### Details 1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. 2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits ### PoC Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 ### Impact Any Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2024-29025
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	5.3	https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
generic_textual	MODERATE	https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
ssvc	Track	https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-5jpm-x58v-624v
cvssv3.1	5.3	https://github.com/netty/netty
generic_textual	MODERATE	https://github.com/netty/netty
cvssv3.1	5.3	https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
generic_textual	MODERATE	https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
ssvc	Track	https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
cvssv3.1	5.3	https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
cvssv3.1_qr	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
generic_textual	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
ssvc	Track	https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
cvssv3.1	5.3	https://github.com/vietj/netty/tree/post-request-decoder
generic_textual	MODERATE	https://github.com/vietj/netty/tree/post-request-decoder
cvssv3.1	5.3	https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
generic_textual	MODERATE	https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2024-29025
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-29025

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-29025
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29025
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
		https://github.com/netty/netty
		https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
		https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
		https://github.com/vietj/netty/tree/post-request-decoder
		https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
		https://nvd.nist.gov/vuln/detail/CVE-2024-29025
1068110		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
2272907		https://bugzilla.redhat.com/show_bug.cgi?id=2272907
GHSA-5jpm-x58v-624v		https://github.com/advisories/GHSA-5jpm-x58v-624v
RHSA-2024:3550		https://access.redhat.com/errata/RHSA-2024:3550
RHSA-2024:4460		https://access.redhat.com/errata/RHSA-2024:4460
RHSA-2024:5479		https://access.redhat.com/errata/RHSA-2024:5479
RHSA-2024:5481		https://access.redhat.com/errata/RHSA-2024:5481
RHSA-2024:5482		https://access.redhat.com/errata/RHSA-2024:5482
RHSA-2024:6657		https://access.redhat.com/errata/RHSA-2024:6657
USN-7284-1		https://usn.ubuntu.com/7284-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/ Found at https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/netty/netty

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/ Found at https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/ Found at https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/vietj/netty/tree/post-request-decoder

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/ Found at https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-29025

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.14724
EPSS Score	0.00048
Published At	July 10, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:10:30.950032+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5jpm-x58v-624v/GHSA-5jpm-x58v-624v.json	36.1.3