PT-2025-32999 · Netty+4 · Netty+5

Anatbb

+2

·

Published

2025-08-13

·

Updated

2026-05-18

·

CVE-2025-55163

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions: Netty versions prior to 4.1.124.Final Netty versions prior to 4.2.4.Final
Description: Netty is an asynchronous, event-driven network application framework vulnerable to a MadeYouReset DDoS attack. This issue is a logical vulnerability in the HTTP/2 protocol, triggered by malformed HTTP/2 control frames that bypass the maximum concurrent streams limit, leading to resource exhaustion and a distributed denial of service.
Recommendations: Netty versions prior to 4.1.124.Final: Update to version 4.1.124.Final or later. Netty versions prior to 4.2.4.Final: Update to version 4.2.4.Final or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

BDU:2025-10993
CLEANSTART-2026-DD05788
CLEANSTART-2026-GQ14179
CLEANSTART-2026-JU62349
CLEANSTART-2026-JW30455
CLEANSTART-2026-KU61465
CLEANSTART-2026-LE11246
CLEANSTART-2026-MM00120
CLEANSTART-2026-RN56220
CLEANSTART-2026-SQ91016
CLEANSTART-2026-SV95049
CLEANSTART-2026-VH41554
CLEANSTART-2026-WG59699
CLEANSTART-2026-WK99982
CVE-2025-55163
ECHO-E753-218C-9042
GHSA-PRJ3-CCX8-P6X4
OPENSUSE-SU-2025:15483-1
RHSA-2026:0742
RHSA-2026:0743
RHSA-2026:4915
RHSA-2026:4916
RHSA-2026:4917
SUSE-SU-2025:03021-1
SUSE-SU-2025:03114-1
SUSE-SU-2025_03114-1

Affected Products

Bamboo
Bitbucket
Debian
Netty
Red Os
Suse