GHSA-cmm3-54f8-px4j

Suggest an improvement
Source
https://github.com/advisories/GHSA-cmm3-54f8-px4j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cmm3-54f8-px4j/GHSA-cmm3-54f8-px4j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cmm3-54f8-px4j
Aliases
  • CVE-2026-44894
Downstream
Related
Published
2026-06-08T22:59:43Z
Modified
2026-06-12T19:45:11.471397237Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Netty's Default QUIC token handler accepts any client-supplied token
Details

NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally return 0. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply.

Database specific
{
    "github_reviewed_at": "2026-06-08T22:59:43Z",
    "nvd_published_at": "2026-06-12T15:16:26Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-940"
    ],
    "severity": "HIGH"
}
References

Affected packages

Maven / io.netty:netty-codec-classes-quic

Package

Name
io.netty:netty-codec-classes-quic
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-classes-quic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0.Final
Fixed
4.2.15.Final

Affected versions

4.*
4.2.1.Final
4.2.2.Final
4.2.3.Final
4.2.4.Final
4.2.5.Final
4.2.6.Final
4.2.7.Final
4.2.8.Final
4.2.9.Final
4.2.10.Final
4.2.11.Final
4.2.12.Final
4.2.13.Final
4.2.14.Final

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cmm3-54f8-px4j/GHSA-cmm3-54f8-px4j.json"
last_known_affected_version_range
"<= 4.2.14.Final"