Ashleytolbert

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final **Description** Netty HTTP/2 max header size handling allows for an attack similar to HTTP/2 Rapid Reset. When a client sends the `SETTINGS MAX HEADER LIST SIZE` setting, the framework reads the request, proxies it to the origin, and attempts to produce a response, but subsequently creates an exception while writing the response headers. This results in a functional behavior similar to an HTTP/2 reset attack but with a different on-the-wire signature. **Recommendations** Update to version 4.1.135.Final Update to version 4.2.15.Final