Dr. Michael Ummels

**Name of the Vulnerable Software and Affected Versions** Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39 Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13 **Description** The issue is related to incorrect restriction of directory path names, which can lead to a directory traversal attack. This can allow a remote attacker to disclose protected information. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources. **Recommendations** For Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39, update to version 1.0.39 or later. For Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13, update to version 1.1.13 or later. As a temporary workaround, consider disabling the serving of static resources until a patch is available.