CVE-2025-55163

Netty MadeYouReset HTTP/2 DDoS Vulnerability

CVSS 8.2 HIGHEPSS 1.0%CWE-770

In short

Netty's HTTP/2 implementation is vulnerable to a DDoS attack using specially crafted control frames that bypass stream limits, causing the server to exhaust resources and stop responding to legitimate requests.

Technical detail

A logical flaw in HTTP/2 protocol handling allows attackers to craft malformed control frames that circumvent max concurrent streams enforcement, leading to unbounded resource consumption and denial of service. Exploitation requires network access to send malicious frames; patched in versions 4.1.124.Final and 4.2.4.Final.

Summary generated and translated by AI from the official description.

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

netty · netty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4 https://www.kb.cert.org/vuls/id/767506 http://www.openwall.com/lists/oss-security/2025/08/16/1