CVE-2025-55163

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
nettynetty
𝑥
< 4.1.124
nettynetty
4.2.0 ≤
𝑥
< 4.2.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bullseye (security)
vulnerable
bullseye
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
http://www.openwall.com/lists/oss-security/2025/08/16/1
https://www.kb.cert.org/vuls/id/767506