GHSA-563q-j3cm-6jxm

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Details

Summary

Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset.

Details

There is a setting in the http2 specification called SETTINGS_MAX_HEADER_LIST_SIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is prepared to accept, in units of octets.”

When a client sends that setting to Netty, it appears that Netty will behave as follows:

Read the request
Proxy the request to the origin
Attempt to produce a response
Create an exception while writing the headers for the response

Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature.

Remediation

When speaking with clients, Netty should potentially treat this as “advisory” and ignore it. It would be best to ignore the SETTINGSMAXHEADERLISTSIZE setting from clients (or ignore it when sending to clients). According to the spec, a server does not need to honor this advisory setting, and it appears that other http/2 implementations ignore it when acting as a server.

Impact

This is a DDoS attack similar to the HTTP/2 Rapid Reset Attack.

Credit

Jonathan Looney (Engineering, Netflix)

Contact

Ashley Tolbert (Security, Netflix) - artolbert@netflix.com

Database specific

{
    "nvd_published_at": "2026-06-12T16:16:32Z",
    "github_reviewed_at": "2026-06-15T20:46:56Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Maven / io.netty:netty-codec-http2

Package

Name: io.netty:netty-codec-http2; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0.Final

Fixed

4.2.15.Final

Affected versions

4.*

4.2.0.Final

4.2.1.Final

4.2.2.Final

4.2.3.Final

4.2.4.Final

4.2.5.Final

4.2.6.Final

4.2.7.Final

4.2.8.Final

4.2.9.Final

4.2.10.Final

4.2.11.Final

4.2.12.Final

4.2.13.Final

4.2.14.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-563q-j3cm-6jxm/GHSA-563q-j3cm-6jxm.json"

last_known_affected_version_range

"<= 4.2.14.Final"

Maven / io.netty:netty-codec-http2

Package

Name: io.netty:netty-codec-http2; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.135.Final

Affected versions

4.*

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

4.1.61.Final

4.1.62.Final

4.1.63.Final

4.1.64.Final

4.1.65.Final

4.1.66.Final

4.1.67.Final

4.1.68.Final

4.1.69.Final

4.1.70.Final

4.1.71.Final

4.1.72.Final

4.1.73.Final

4.1.74.Final

4.1.75.Final

4.1.76.Final

4.1.77.Final

4.1.78.Final

4.1.79.Final

4.1.80.Final

4.1.81.Final

4.1.82.Final

4.1.83.Final

4.1.84.Final

4.1.85.Final

4.1.86.Final

4.1.87.Final

4.1.88.Final

4.1.89.Final

4.1.90.Final

4.1.91.Final

4.1.92.Final

4.1.93.Final

4.1.94.Final

4.1.95.Final

4.1.96.Final

4.1.97.Final

4.1.98.Final

4.1.99.Final

4.1.100.Final

4.1.101.Final

4.1.102.Final

4.1.103.Final

4.1.104.Final

4.1.105.Final

4.1.106.Final

4.1.107.Final

4.1.108.Final

4.1.109.Final

4.1.110.Final

4.1.111.Final

4.1.112.Final

4.1.113.Final

4.1.114.Final

4.1.115.Final

4.1.116.Final

4.1.117.Final

4.1.118.Final

4.1.119.Final

4.1.120.Final

4.1.121.Final

4.1.122.Final

4.1.123.Final

4.1.124.Final

4.1.125.Final

4.1.126.Final

4.1.127.Final

4.1.128.Final

4.1.129.Final

4.1.130.Final

4.1.131.Final

4.1.132.Final

4.1.133.Final

4.1.134.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-563q-j3cm-6jxm/GHSA-563q-j3cm-6jxm.json"

last_known_affected_version_range

"<= 4.1.134.Final"