CVE-2025-55163 — Allocation of Resources Without Limits or Throttling in Netty

CWE-770 — Allocation of Resources Without Limits or Throttling9 documents6 sources

Severity

8.2HIGHNVD

EPSS

0.0%

top 87.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Debian Netty

Timeline

PublishedAug 13

Latest updateJan 15

Description

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5netty/netty< 4.1.124.Final+1

▶NVDnetty/netty4.2.0 — 4.2.4+1

▶debiandebian/netty< netty 1:4.1.48-7+deb12u2 (bookworm)

▶Debiannetty/netty< 1:4.1.48-4+deb11u3+3

🔴Vulnerability Details

OSV

CVE-2025-55163: Netty is an asynchronous, event-driven network application framework↗2025-08-13

▶

GHSA

Netty affected by MadeYouReset HTTP/2 DDoS vulnerability↗2025-08-13

▶

OSV

Netty affected by MadeYouReset HTTP/2 DDoS vulnerability↗2025-08-13

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Core (Netty) — CVE-2025-55163↗2026-01-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Tools And Frameworks (Netty) — CVE-2025-55163↗2025-10-15

▶

Red Hat

upstream:↗2025-08-13

▶

Red Hat

netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability↗2025-08-13

▶

Debian

CVE-2025-55163: netty - Netty is an asynchronous, event-driven network application framework. Prior to v...↗2025

▶