CVE-2026-44248

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header P

5.3MEDIUM

CVE-2026-42587

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompre

7.5HIGH

CVE-2026-42586

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis cod

6.8MEDIUM

CVE-2026-42585

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly p

6.5MEDIUM

CVE-2026-42584

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pai

7.3HIGH

CVE-2026-42583

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder all

7.5HIGH

CVE-2026-42582

< 4.2.13

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-

7.5HIGH

CVE-2026-42581

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder s

5.8MEDIUM

CVE-2026-42580

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size

6.5MEDIUM

CVE-2026-42579

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec d

7.5HIGH

CVE-2026-42578

< 4.1.133

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHa

7.5HIGH

CVE-2026-42577

>= 4.2.0 and < 4.2.13

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport f

7.5HIGH

CVE-2026-41417

< 4.1.133

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and i

5.3MEDIUM

CVE-2026-33871

< 4.1.132

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remot

7.5HIGH

CVE-2026-33870

< 4.1.132

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty i

7.5HIGH

CVE-2025-67735

< 4.1.129

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.

6.5MEDIUM

CVE-2025-58057

< 4.1.125

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

7.5HIGH

CVE-2025-58056

< 4.1.125

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol serv

7.5HIGH

CVE-2025-55163

< 4.1.124

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vu

7.5HIGH

CVE-2025-25193

< 4.1.118

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Fi

5.5MEDIUM

CVE-2025-24970

>= 4.1.91 and < 4.1.118

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior

7.5HIGH

CVE-2024-47535

< 4.1.115

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

5.5MEDIUM

CVE-2024-40642

< 0.0.13

The netty incubator codec.bhttp is a java language binary http parser. In affected versions the BinaryHttpParser class does not

8.1HIGH

CVE-2024-36121

>= 0.0.3 and < 0.0.11

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses ha

5.9MEDIUM

CVE-2024-29025

< 4.1.108

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

5.3MEDIUM

CVE-2023-44487

< 4.1.100

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-34462

< 4.1.94

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

6.5MEDIUM

CVE-2022-41915

>= 4.1.83 and < 4.1.86

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.

6.5MEDIUM

CVE-2022-41881

< 4.1.86

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowErr

5.3MEDIUM

CVE-2022-24823

< 4.1.77

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to

5.5MEDIUM

CVE-2021-43797

< 4.1.71

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

6.5MEDIUM

CVE-2021-37137

< 4.1.68

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also

7.5HIGH

CVE-2021-37136

< 4.1.68

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects th

7.5HIGH

CVE-2021-21409

< 4.1.61

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

5.9MEDIUM

CVE-2021-21295

< 4.1.60

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

5.9MEDIUM

CVE-2021-21290

< 4.1.59

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

6.2MEDIUM

CVE-2020-11612

>= 4.1 and < 4.1.46

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An a

7.5HIGH

CVE-2019-20445

< 4.1.44

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header,

9.1CRITICAL

CVE-2019-20444

< 4.1.44

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate h

9.1CRITICAL

CVE-2020-7238

all versions

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Enc

7.5HIGH

CVE-2019-16869

< 4.1.42

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), w

7.5HIGH

CVE-2015-2156

<= 3.9.7

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2

7.5HIGH

CVE-2016-4970

>= 4.0.20 and < 4.0.37

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a

7.5HIGH

CVE-2014-3488

<= 3.9.1.1

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via

CVE-2014-0193

all versions

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before