GHSA-cc37-9q2j-3hfvHighCVSS 7.5

Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length

Published
June 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls header.retainedSlice(header.readerIndex(), length) and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.

🎯 Affected products2

  • maven/io.netty:netty-codec-haproxy:>= 4.2.0.Final, <= 4.2.14.Final
  • maven/io.netty:netty-codec-haproxy:<= 4.1.134.Final

🔗 References (4)