- CVE ID
- CVE-2025-55163
- CVE Description
- Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
- Published
- Aug 14, 2025
- CVSS Score & Severity
7.5High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- EPSS Score
- 0.052%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.buildFromCodec(Lio/netty/handler/codec/http2/Http2ConnectionDecoder;Lio/netty/handler/codec/http2/Http2ConnectionEncoder;)Lio/netty/handler/codec/http2/Http2ConnectionHandler;JVM
io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.buildFromConnection(Lio/netty/handler/codec/http2/Http2Connection;)Lio/netty/handler/codec/http2/Http2ConnectionHandler;JVM
io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.decoderEnforceMaxRstFramesPerWindow(II)Lio/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder;JVM
io/netty/handler/codec/http2/Http2ConnectionHandler$BuilderBase.build(Lio/netty/handler/codec/http2/Http2ConnectionDecoder;Lio/netty/handler/codec/http2/Http2ConnectionEncoder;)Lio/netty/handler/codec/http2/Http2ConnectionHandler;JVM
io/netty/handler/codec/http2/Http2ConnectionHandler.<init>(Lio/netty/handler/codec/http2/Http2ConnectionDecoder$Builder;Lio/netty/handler/codec/http2/Http2ConnectionEncoder$Builder;)VJVM
- Source
- National Vulnerability Database
