CVE-2022-41881

CVSS 5.3 MEDIUMEPSS 1.5%CWE-674

In short

Netty's HTTP proxy message decoder can crash with a stack overflow error when processing specially crafted malformed messages, causing denial of service.

Technical detail

An infinite recursion vulnerability in HaProxyMessageDecoder (CWE-674) allows remote attackers to trigger StackOverflowError via malformed messages, resulting in application crash. No authentication required; attack vector is network-based and affects versions before 4.1.86.Final.

Summary generated and translated by AI from the official description.

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

netty · netty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html https://security.netapp.com/advisory/ntap-20230113-0004/https://www.debian.org/security/2023/dsa-5316