CVE-2026-42579
- EPSS 0.82%
- Veröffentlicht 13.05.2026 18:01:52
- Zuletzt bearbeitet 09.07.2026 13:17:14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack...
CVE-2026-42577
- EPSS 0.41%
- Veröffentlicht 13.05.2026 18:00:28
- Zuletzt bearbeitet 18.05.2026 14:05:07
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are ...
CVE-2026-42578
- EPSS 0.67%
- Veröffentlicht 13.05.2026 17:57:43
- Zuletzt bearbeitet 09.07.2026 13:17:14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method create...
CVE-2026-42581
- EPSS 0.52%
- Veröffentlicht 13.05.2026 17:54:44
- Zuletzt bearbeitet 09.07.2026 13:17:15
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but...
CVE-2026-41417
- EPSS 0.31%
- Veröffentlicht 06.05.2026 20:52:47
- Zuletzt bearbeitet 11.05.2026 14:29:48
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the star...
CVE-2026-33871
- EPSS 1.13%
- Veröffentlicht 27.03.2026 19:55:23
- Zuletzt bearbeitet 03.07.2026 13:17:06
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. ...
CVE-2026-33870
- EPSS 0.64%
- Veröffentlicht 27.03.2026 19:54:15
- Zuletzt bearbeitet 03.07.2026 13:17:06
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling atta...
CVE-2025-67735
- EPSS 0.29%
- Veröffentlicht 16.12.2025 00:19:11
- Zuletzt bearbeitet 02.01.2026 18:50:23
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This...
CVE-2025-59419
- EPSS 1.62%
- Veröffentlicht 15.10.2025 15:42:30
- Zuletzt bearbeitet 15.04.2026 00:35:42
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Retur...
CVE-2025-58057
- EPSS 0.56%
- Veröffentlicht 03.09.2025 21:46:49
- Zuletzt bearbeitet 08.09.2025 16:45:55
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final a...