GHSA-c653-97m9-rcg9

SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager) performs no hostname verification at all.

Database specific

{
    "nvd_published_at": "2026-06-12T16:16:31Z",
    "github_reviewed_at": "2026-06-15T20:45:45Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Maven / io.netty:netty-handler

Package

Name: io.netty:netty-handler; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-handler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0.Final

Fixed

4.2.15.Final

Affected versions

4.*

4.2.0.Final

4.2.1.Final

4.2.2.Final

4.2.3.Final

4.2.4.Final

4.2.5.Final

4.2.6.Final

4.2.7.Final

4.2.8.Final

4.2.9.Final

4.2.10.Final

4.2.11.Final

4.2.12.Final

4.2.13.Final

4.2.14.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c653-97m9-rcg9/GHSA-c653-97m9-rcg9.json"

Maven / io.netty:netty-handler

Package

Name: io.netty:netty-handler; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-handler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.135.Final

Affected versions

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0.CR3

4.0.0.CR4

4.0.0.CR5

4.0.0.CR6

4.0.0.CR7

4.0.0.CR8

4.0.0.CR9

4.0.0.Final

4.0.1.Final

4.0.2.Final

4.0.3.Final

4.0.4.Final

4.0.5.Final

4.0.6.Final

4.0.7.Final

4.0.8.Final

4.0.9.Final

4.0.10.Final

4.0.11.Final

4.0.12.Final

4.0.13.Final

4.0.14.Beta1

4.0.14.Final

4.0.15.Final

4.0.16.Final

4.0.17.Final

4.0.18.Final

4.0.19.Final

4.0.20.Final

4.0.21.Final

4.0.22.Final

4.0.23.Final

4.0.24.Final

4.0.25.Final

4.0.26.Final

4.0.27.Final

4.0.28.Final

4.0.29.Final

4.0.30.Final

4.0.31.Final

4.0.32.Final

4.0.33.Final

4.0.34.Final

4.0.35.Final

4.0.36.Final

4.0.37.Final

4.0.38.Final

4.0.39.Final

4.0.40.Final

4.0.41.Final

4.0.42.Final

4.0.43.Final

4.0.44.Final

4.0.45.Final

4.0.46.Final

4.0.47.Final

4.0.48.Final

4.0.49.Final

4.0.50.Final

4.0.51.Final

4.0.52.Final

4.0.53.Final

4.0.54.Final

4.0.55.Final

4.0.56.Final

4.1.0.Beta1

4.1.0.Beta2

4.1.0.Beta3

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

4.1.61.Final

4.1.62.Final

4.1.63.Final

4.1.64.Final

4.1.65.Final

4.1.66.Final

4.1.67.Final

4.1.68.Final

4.1.69.Final

4.1.70.Final

4.1.71.Final

4.1.72.Final

4.1.73.Final

4.1.74.Final

4.1.75.Final

4.1.76.Final

4.1.77.Final

4.1.78.Final

4.1.79.Final

4.1.80.Final

4.1.81.Final

4.1.82.Final

4.1.83.Final

4.1.84.Final

4.1.85.Final

4.1.86.Final

4.1.87.Final

4.1.88.Final

4.1.89.Final

4.1.90.Final

4.1.91.Final

4.1.92.Final

4.1.93.Final

4.1.94.Final

4.1.95.Final

4.1.96.Final

4.1.97.Final

4.1.98.Final

4.1.99.Final

4.1.100.Final

4.1.101.Final

4.1.102.Final

4.1.103.Final

4.1.104.Final

4.1.105.Final

4.1.106.Final

4.1.107.Final

4.1.108.Final

4.1.109.Final

4.1.110.Final

4.1.111.Final

4.1.112.Final

4.1.113.Final

4.1.114.Final

4.1.115.Final

4.1.116.Final

4.1.117.Final

4.1.118.Final

4.1.119.Final

4.1.120.Final

4.1.121.Final

4.1.122.Final

4.1.123.Final

4.1.124.Final

4.1.125.Final

4.1.126.Final

4.1.127.Final

4.1.128.Final

4.1.129.Final

4.1.130.Final

4.1.131.Final

4.1.132.Final

4.1.133.Final

4.1.134.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c653-97m9-rcg9/GHSA-c653-97m9-rcg9.json"

last_known_affected_version_range

"<= 4.1.134.Final"