io.netty:netty-codec-classes-quic 4.2.12.Final

Direct Vulnerabilities

Known vulnerabilities in the io.netty:netty-codec-classes-quic package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insecure Randomness Affected versions of this package are vulnerable to Insecure Randomness in the form of generating stateless reset-tokens based on HMAC connection ID. An attacker in a MitM position can deduce token material by observing QUIC headers after a source CID rotation, and can cause service disruption by sending spoofed stateless reset packets. How to fix Insecure Randomness? Upgrade `io.netty:netty-codec-classes-quic` to version 4.2.15.Final or higher.	[4.2.0.Alpha1,4.2.15.Final)
H Improper Verification of Source of a Communication Channel Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel due to improper validation in the `validateToken` function. An attacker can cause the server to treat unvalidated client addresses as validated by supplying any non-empty token bytes in an Initial packet with a spoofed source IP, resulting in the server reflecting large handshake responses to the victim without the intended anti-amplification limit. How to fix Improper Verification of Source of a Communication Channel? Upgrade `io.netty:netty-codec-classes-quic` to version 4.2.15.Final or higher.	[4.2.0.Final,4.2.15.Final)

Vulnerability

Vulnerable Version

Insecure Randomness

Affected versions of this package are vulnerable to Insecure Randomness in the form of generating stateless reset-tokens based on HMAC connection ID. An attacker in a MitM position can deduce token material by observing QUIC headers after a source CID rotation, and can cause service disruption by sending spoofed stateless reset packets.

How to fix Insecure Randomness?

Upgrade io.netty:netty-codec-classes-quic to version 4.2.15.Final or higher.

[4.2.0.Alpha1,4.2.15.Final)

Improper Verification of Source of a Communication Channel

Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel due to improper validation in the validateToken function. An attacker can cause the server to treat unvalidated client addresses as validated by supplying any non-empty token bytes in an Initial packet with a spoofed source IP, resulting in the server reflecting large handshake responses to the victim without the intended anti-amplification limit.

How to fix Improper Verification of Source of a Communication Channel?

Upgrade io.netty:netty-codec-classes-quic to version 4.2.15.Final or higher.

[4.2.0.Final,4.2.15.Final)

io.netty:netty-codec-classes-quic@4.2.12.Final

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically