PT-2024-2588 · Netty+6 · Netty+6

Vietj

Published

2024-03-25

Updated

2026-05-18

CVE-2024-29025

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.108.Final

Description The issue is related to the HttpPostRequestDecoder in Netty, which can be tricked to accumulate data without limits. This can be achieved by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list, or by cumulating bytes in the undecodedChunk buffer until a field can be decoded. The vulnerability can be exploited to cause a denial of service.

Recommendations For Netty versions prior to 4.1.108.Final, update to version 4.1.108.Final or later to resolve the issue. As a temporary workaround, consider restricting the number of fields that can be accumulated in the bodyListHttpData list or limiting the size of the undecodedChunk buffer to prevent excessive data accumulation.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BDU:2024-02650

CLEANSTART-2026-DD05788

CLEANSTART-2026-KU61465

CLEANSTART-2026-LE11246

CLEANSTART-2026-RN56220

CLEANSTART-2026-VH41554

CVE-2024-29025

DLA-3834-1

GHSA-5JPM-X58V-624V

OESA-2024-2379

OESA-2024-2395

OPENSUSE-SU-2024:14101-1

OPENSUSE-SU-2024:14442-1

OPENSUSE-SU-2024_1079-2

OPENSUSE-SU-2024_2313-1

RHSA-2024:5143

RHSA-2024:5144

RHSA-2024:5145

RHSA-2024:5479

RHSA-2024:5481

SUSE-SU-2024:1079-1

SUSE-SU-2024:1079-2

SUSE-SU-2024:2313-1

SUSE-SU-2024_1079-1

SUSE-SU-2024_1079-2

SUSE-SU-2024_2313-1

USN-7284-1

Affected Products

Astra Linux

Debian

Linuxmint

Netty

Red Os

Suse

Ubuntu

PT-2024-2588 · Netty+6 · Netty+6

CVE-2024-29025

Weakness Enumeration

Related Identifiers

Affected Products

References · 291