Uncontrolled Resource Consumption
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Advisories for Maven/Io.netty/Netty-Codec-Http2 package
2023
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. Patches This is patched in version 4.1.100.Final. Workarounds A user can limit the amount of RST frames that are accepted per …
2022
Interpretation Conflict
This CVE has been marked as a False Positive and has been removed.
Uncontrolled Recursion
This advisory has been marked as a false positive.
False Positive
This advisory has been marked as False Positive and moved to netty-common.
False Positive
This advisory has been marked as False Positive and moved to netty-codec-http, netty-handler and netty-common.
2021
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and …
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)
If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up.
2020
Uncontrolled Resource Consumption
The ZlibDecoders in Netty allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)
Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.