CVE-2025-55163

About vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Affected product:

Apache ActiveMQ , Apache Hadoop , Apache Hive , Apache Kafka , Apache Lucene , Apache Spark , Eclipse Jetty , Netty , Spring , accumulo , agepredictor , artemis , async-http-client , avro , aws-sdk-java , azure-sdk-for-java , bolt-connection-java , bookkeeper-common-allocator , cassandra-java-driver , couchbase-jvm-clients , cxf , druid , elasticsearch , flume-ng-sdk , grpc-core , grpc-java , grpc-netty , grpc-netty-shaded , hbase , http-client , infinispan , java-datastore , java-driver , java-storage , lettuce , lettuce-core , littleproxy , logging-flume , logging-log4j2 , neo4j-bolt-connection-netty , neo4j-java-driver , netty , pulsar , pulsar-client-all , rsocket-java , solr , sonatype-aether , tika , wildfly , zookeeper

Affected packages:

org.apache.cxf.osgi.itests @ 3.5.11 (+4881 more)

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.