CVE-2024-29025Allocation of Resources Without Limits or Throttling in Netty

CWE-770Allocation of Resources Without Limits or Throttling12 documents7 sources
Severity
5.3MEDIUMNVD
OSV5.5
EPSS
0.3%
top 44.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NettyDebian NettyDebian Linux
Timeline
PublishedMar 25
Latest updateApr 15

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

CVEListV5netty/netty< 4.1.108.Final
NVDnetty/netty< 4.1.108
debiandebian/netty< netty 1:4.1.48-7+deb12u2 (bookworm)
Debiannetty/netty< 1:4.1.48-4+deb11u3+3
Ubuntunetty/netty< 1:4.0.34-1ubuntu0.1~esm2+4

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
netty vulnerabilities2025-02-24
OSV
Netty's HttpPostRequestDecoder can OOM2024-03-25
GHSA
Netty's HttpPostRequestDecoder can OOM2024-03-25
OSV
CVE-2024-29025: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients2024-03-25

📋Vendor Advisories

7
Oracle
Oracle Oracle Retail Applications Risk Matrix: Xenvironment (Netty) — CVE-2024-290252025-04-15
Ubuntu
Netty vulnerabilities2025-02-24
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Netty) — CVE-2024-290252025-01-15
Oracle
Oracle Oracle Database Server Risk Matrix: Fleet Patching and Provisioning - Micronaut (Netty) — CVE-2024-290252024-10-15
Oracle
Oracle Oracle TimesTen In-Memory Database Risk Matrix: TimesTen Install (Netty) — CVE-2024-290252024-07-15