GHSA-c2gf-v879-257jMediumCVSS 5.3
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
🔗 CVE IDs covered (1)
📋 Description
Impact
The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it.
A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.
🎯 Affected products2
- maven/io.netty:netty-codec-http2:<= 4.1.134.Final
- maven/io.netty:netty-codec-http2:>= 4.2.0.Alpha1, <= 4.2.14.Final