io.netty:netty-codec-http2
Maven8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting io.netty:netty-codec-http2page 1 of 1
- CVE-2021-21295MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.1.60.Final2021-03-09
vulnerable: 4.1.0.Beta4 ... 4.1.9.Final (72 versions)
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is …
- CVE-2021-21409MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.1.61.Final2021-03-30
vulnerable: 4.1.0.Beta4 ... 4.1.9.Final (73 versions)
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is …
- CVE-2025-55163HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.124.Final2025-08-13
vulnerable: 4.1.0.Beta4 ... 4.1.99.Final (136 versions)
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HT…
- CVE-2026-33871HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.132.Final2026-03-27
vulnerable: 4.1.0.Beta4 ... 4.1.99.Final (144 versions)
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATIO…
- CVE-2026-42587HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.133.Final2026-05-13
vulnerable: 4.1.0.Beta4 ... 4.1.99.Final (145 versions)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb atta…
- CVE-2026-47244MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.1.135.Final2026-06-08
vulnerable: 4.1.0.Beta4 ... 4.1.99.Final (147 versions)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE…
- CVE-2026-48043HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.15.Final2026-06-11
vulnerable: 4.2.0.Alpha1 ... 4.2.9.Final (25 versions)
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompress…
- CVE-2026-50560MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.1.135.Final2026-06-12
vulnerable: 4.1.0.Beta4 ... 4.1.99.Final (147 versions)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a …
Check whether io.netty:netty-codec-http2 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for io.netty:netty-codec-http2 CVEs against the assets you own.
Start Free Scan →