io.netty:netty-codec-http2 4.2.14.Final

Direct Vulnerabilities

Known vulnerabilities in the io.netty:netty-codec-http2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the handling of the `SETTINGS_MAX_HEADER_LIST_SIZE` setting, when acting as a server. An attacker can cause the server to trigger exceptions during response header writing, by sending artificially small header size limits that block other clients' requests. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `io.netty:netty-codec-http2` to version 4.1.135.Final, 4.2.15.Final or higher.	[,4.1.135.Final)[4.2.0.Alpha1,4.2.15.Final)
M Missing Release of Memory after Effective Lifetime io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the `DelegatingDecompressorFrameListener` function. An attacker can cause memory exhaustion and potentially crash the JVM by sending specially crafted HTTP/2 frames that trigger a resource leak. How to fix Missing Release of Memory after Effective Lifetime? Upgrade `io.netty:netty-codec-http2` to version 4.1.135.Final, 4.2.15.Final or higher.	[,4.1.135.Final)[4.2.0.Alpha1,4.2.15.Final)
M Allocation of Resources Without Limits or Throttling io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforcement of the advertised `MAX_CONCURRENT_STREAMS` setting in HTTP/2 connections in `AbstractHttp2ConnectionHandlerBuilder`. An attacker can exhaust server resources by opening a large number of concurrent streams over a single TCP connection, potentially leading to service disruption. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `io.netty:netty-codec-http2` to version 4.1.135.Final, 4.2.15.Final or higher.	[,4.1.135.Final)[4.2.0.Final,4.2.15.Final)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the handling of the SETTINGS_MAX_HEADER_LIST_SIZE setting, when acting as a server. An attacker can cause the server to trigger exceptions during response header writing, by sending artificially small header size limits that block other clients' requests.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade io.netty:netty-codec-http2 to version 4.1.135.Final, 4.2.15.Final or higher.

[,4.1.135.Final)[4.2.0.Alpha1,4.2.15.Final)

Missing Release of Memory after Effective Lifetime

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the DelegatingDecompressorFrameListener function. An attacker can cause memory exhaustion and potentially crash the JVM by sending specially crafted HTTP/2 frames that trigger a resource leak.

How to fix Missing Release of Memory after Effective Lifetime?

Upgrade io.netty:netty-codec-http2 to version 4.1.135.Final, 4.2.15.Final or higher.

[,4.1.135.Final)[4.2.0.Alpha1,4.2.15.Final)

Allocation of Resources Without Limits or Throttling

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforcement of the advertised MAX_CONCURRENT_STREAMS setting in HTTP/2 connections in AbstractHttp2ConnectionHandlerBuilder. An attacker can exhaust server resources by opening a large number of concurrent streams over a single TCP connection, potentially leading to service disruption.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade io.netty:netty-codec-http2 to version 4.1.135.Final, 4.2.15.Final or higher.

[,4.1.135.Final)[4.2.0.Final,4.2.15.Final)

io.netty:netty-codec-http2@4.2.14.Final

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically