GHSA-c2rx-5r8w-8xr2

Suggest an improvement
Source
https://github.com/advisories/GHSA-c2rx-5r8w-8xr2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c2rx-5r8w-8xr2/GHSA-c2rx-5r8w-8xr2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c2rx-5r8w-8xr2
Aliases
  • CVE-2026-44892
Downstream
Related
Published
2026-06-08T19:02:16Z
Modified
2026-06-12T19:30:08.487426672Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
Details

Summary

The default configuration of the Http3ConnectionHandler in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an OutOfMemoryError.

Details

Netty securely limits header sizes for older protocols. In HTTP/1.1, Netty strictly enforces an 8192-byte limit out-of-the-box via HttpObjectDecoder. For HTTP/2, while RFC 9113 specifies that SETTINGS_MAX_HEADER_LIST_SIZE defaults to unlimited, Netty securely overrides this RFC default by enforcing an 8192-byte limit (Http2CodecUtil.DEFAULT_HEADER_LIST_SIZE).

However, this secure-by-default configuration is missing in the HTTP/3 implementation. While Netty provides a mechanism to configure the maximum header field section size via Http3Settings, its out-of-the-box behaviour strictly follows RFC 9114's unlimited default.

Because many developers rely on the framework's default configurations and basic constructors, their applications are unknowingly left vulnerable. This nearly infinite default limit is passed into Http3FrameCodec#newFactory and stored as maxHeaderListSize inside Http3FrameCodec.

A bad actor can continuously send HTTP/3 headers within a connection, exploiting the insecure default configuration to consume server memory unconditionally until the application crashes with an OutOfMemoryError.

Impact

Denial of Service via memory exhaustion. All applications using Netty's HTTP/3 codec with its default configuration are impacted.

Database specific 
{
    "nvd_published_at": "2026-06-12T05:16:32Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1188",
        "CWE-400"
    ],
    "github_reviewed_at": "2026-06-08T19:02:16Z"
}
References

Affected packages

Maven / io.netty:netty-codec-http3

Package

Name
io.netty:netty-codec-http3
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-http3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0.Final
Fixed
4.2.15.Final

Affected versions

4.*
4.2.2.Final
4.2.3.Final
4.2.4.Final
4.2.5.Final
4.2.6.Final
4.2.7.Final
4.2.8.Final
4.2.9.Final
4.2.10.Final
4.2.11.Final
4.2.12.Final
4.2.13.Final
4.2.14.Final

Database specific

last_known_affected_version_range 
"<= 4.2.14.Final"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c2rx-5r8w-8xr2/GHSA-c2rx-5r8w-8xr2.json"