Debian Netty vulnerabilities

CVE-2026-33871 [HIGH] CVE-2026-33871: netty - Netty is an asynchronous, event-driven network application framework. In version... Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitig

CVE-2026-33870 [HIGH] CVE-2026-33870: netty - Netty is an asynchronous, event-driven network application framework. In version... Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue. Scope: local bookworm: open bullseye: open forky: open sid:

CVE-2025-55163 [HIGH] CVE-2025-55163: netty - Netty is an asynchronous, event-driven network application framework. Prior to v... Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denia

CVE-2025-59419 [MEDIUM] CVE-2025-59419: netty - Netty is an asynchronous, event-driven network application framework. In version... Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.s

CVE-2025-67735 [MEDIUM] CVE-2025-67735: netty - Netty is an asynchronous, event-driven network application framework. In version... Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application

CVE-2025-58057 [MEDIUM] CVE-2025-58057: netty - Netty is an asynchronous event-driven network application framework for rapid de... Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allo

CVE-2025-25193 [MEDIUM] CVE-2025-25193: netty - Netty, an asynchronous, event-driven network application framework, has a vulner... Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty

CVE-2025-58056 [LOW] CVE-2025-58056: netty - Netty is an asynchronous event-driven network application framework for developm... Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requir

CVE-2025-24970 [HIGH] CVE-2025-24970: netty - Netty, an asynchronous, event-driven network application framework, has a vulner... Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround

CVE-2024-29025 [MEDIUM] CVE-2024-29025: netty - Netty is an asynchronous event-driven network application framework for rapid de... Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chu

CVE-2024-47535 [MEDIUM] CVE-2024-47535: netty - Netty is an asynchronous event-driven network application framework for rapid de... Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large

CVE-2023-44487 [HIGH] CVE-2023-44487: dnsdist - The HTTP/2 protocol allows a denial of service (server resource consumption) bec... The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.8.2-2) sid: resolved (fixed in 1.8.2-2) trixie: resolved (fixed in 1.8.2-2)

CVE-2023-34462 [MEDIUM] CVE-2023-34462: netty - Netty is an asynchronous event-driven network application framework for rapid de... Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to

CVE-2022-41915 [MEDIUM] CVE-2022-41915: netty - Netty project is an event-driven asynchronous network application framework. Sta... Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in vers

CVE-2022-41881 [MEDIUM] CVE-2022-41881: netty - Netty project is an event-driven asynchronous network application framework. In ... Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. Scope: local bookworm: resolved (f

CVE-2022-24823 [MEDIUM] CVE-2022-24823: netty - Netty is an open-source, asynchronous event-driven network application framework... Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is en

CVE-2021-37136 [HIGH] CVE-2021-37136: netty - The Bzip2 decompression decoder function doesn't allow setting size restrictions... The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack Scope: local bookworm: resolved (fixed in 1:4.1.48-6) bullseye: resolved (fixed in 1:4.1.48-4+

CVE-2021-37137 [HIGH] CVE-2021-37137: netty - The Snappy frame decoder function doesn't restrict the chunk length which may le... The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network s

CVE-2021-21295 [MEDIUM] CVE-2021-21295: netty - Netty is an open-source, asynchronous event-driven network application framework... Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field i

CVE-2021-43797 [MEDIUM] CVE-2021-43797: netty - Netty is an asynchronous event-driven network application framework for rapid de... Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request