Update netty.version to v4.1.135.Final [SECURITY]#11
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.133.Final→4.1.135.Final4.1.133.Final→4.1.135.Final4.1.133.Final→4.1.135.Final4.1.133.Final→4.1.135.FinalWarning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Have a look at your dependency dashboard
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
CVE-2026-44249 / GHSA-3qp7-7mw8-wx86
More information
Details
Summary
An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.
Details
io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress)method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.Impact
Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
CVE-2026-45416 / GHSA-x4gw-5cx5-pgmh
More information
Details
SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates
ctx.alloc().buffer(handshakeLength)(line 161). The guard at line 140 ishandshakeLength > maxClientHelloLength && maxClientHelloLength != 0, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty: Wrapping plain trust manager silently disables hostname verification
CVE-2026-50010 / GHSA-c653-97m9-rcg9
More information
Details
SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with
SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)performs no hostname verification at all.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
CVE-2026-45536 / GHSA-w573-9ffj-6ff9
More information
Details
netty_unix_socket_recvFd sets msg_control to
char control[CMSG_SPACE(sizeof(int))](line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent checkcmsg->cmsg_len == CMSG_LEN(sizeof(int))(line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default).Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
CVE-2026-47244 / GHSA-5x3r-wrvg-rp6q
More information
Details
Impact
DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work.
Resources
https://www.rfc-editor.org/rfc/rfc7540.html#section-6.5.2
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
CVE-2026-48043 / GHSA-c2gf-v879-257j
More information
Details
Impact
The
DelegatingDecompressorFrameListenerclass orchestrates HTTP/2 decompression by embedding a per-streamEmbeddedChannelthat runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooledByteBufhanded to an anonymousChannelInboundHandlerAdaptertail handler, which becomes the sole owner responsible for releasing it.A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
CVE-2026-50560 / GHSA-563q-j3cm-6jxm
More information
Details
Summary
Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset.
Details
There is a setting in the http2 specification called
SETTINGS_MAX_HEADER_LIST_SIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is prepared to accept, in units of octets.”When a client sends that setting to Netty, it appears that Netty will behave as follows:
Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature.
Remediation
When speaking with clients, Netty should potentially treat this as “advisory” and ignore it. It would be best to ignore the SETTINGS_MAX_HEADER_LIST_SIZE setting from clients (or ignore it when sending to clients). According to the spec, a server does not need to honor this advisory setting, and it appears that other http/2 implementations ignore it when acting as a server.
Impact
This is a DDoS attack similar to the HTTP/2 Rapid Reset Attack.
Credit
Jonathan Looney (Engineering, Netflix)
Contact
Ashley Tolbert (Security, Netflix) - artolbert@netflix.com
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
CVE-2026-50020 / GHSA-hvcg-qmg6-jm4c
More information
Details
Summary
Before reading the first request-line,
HttpObjectDecoderskips every byte for whichCharacter.isISOControl(b)istrue(0x00–0x1F and 0x7F) as well as all whitespace.RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line —
a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds.
Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes
significantly beyond this, and can be exploited for request-boundary confusion in pipelined
or multiplexed transports where a front-end component treats those bytes differently.
Affected Code
codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.javaISO_CONTROL_OR_WHITESPACEstatic initialiser — marks all ISO control charscodec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.javaSKIP_CONTROL_CHARS_BYTESByteProcessor— skips the entire setcodec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.javaLineParser.skipControlChars— advancesreaderIndexpast all matching bytesSpecification Analysis
RFC 9112 §2.2 — Message Parsing
Deviation
The RFC names a single permitted exception: an empty line (bare CRLF, i.e. the two-byte
sequence
\r\n). TheISO_CONTROL_OR_WHITESPACEtable is initialised as:Character.isISOControlreturnstruefor0x00–0x1Fand0x7F. This includes NUL(
0x00), SOH (0x01), STX (0x02), BEL (0x07), DEL (0x7F), and every other non-CRLFcontrol character. The
SKIP_CONTROL_CHARSstate runs this scan unconditionally before thefirst
READ_INITIAL, meaning any sequence of such bytes prepended to a request is silentlyconsumed.
A load balancer or TLS terminator that does not perform the same scan sees a different
message boundary than Netty does, which is the basis of a request-desync / smuggling attack.
Suggested Unit Test
Add to
HttpRequestDecoderTest.java.Current behaviour (unfixed):
skipControlCharsadvances past0x00and0x01becauseboth are in
ISO_CONTROL_OR_WHITESPACE; the request parses normally,isFailure()isfalse→ test fails.Expected behaviour after fix: only CRLF empty lines are tolerated; non-CRLF control
bytes produce an error,
isFailure()istrue→ test passes.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone Australia/Sydney)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.