Vulnerability DatabaseCVE-2025-55163
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-55163
August 13, 2025
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Affected Packages
https://github.com/netty/netty.git (GITHUB):
Affected version(s) >=netty-4.2.0.Final <4.2.4.Final
Fix Suggestion:
Update to version 4.2.4.Final
https://github.com/netty/netty.git (GITHUB):
Affected version(s) >=netty-3.2.4.Final <netty-4.1.124.Final
Fix Suggestion:
Update to version netty-4.1.124.Final
io.grpc:grpc-netty-shaded (JAVA):
Affected version(s) >=1.9.0 <1.75.0
Fix Suggestion:
Update to version 1.75.0
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.1.0.Beta4 <4.1.124.Final
Fix Suggestion:
Update to version 4.1.124.Final
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.2.0.Alpha1 <4.2.4.Final
Fix Suggestion:
Update to version 4.2.4.Final
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.1.0.Beta4 <4.1.124.Final
Fix Suggestion:
Update to version 4.1.124.Final
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.2.0.Final <4.2.4.Final
Fix Suggestion:
Update to version 4.2.4.Final
Related ResourcesĀ (8)
https://github.com/grpc/grpc-java/commit/6462ef9a11980e168c21d90bbc7245c728fd1a7a
https://security-tracker.debian.org/tracker/CVE-2025-55163
https://github.com/netty/netty
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
https://nvd.nist.gov/vuln/detail/CVE-2025-55163
http://www.openwall.com/lists/oss-security/2025/08/16/1
https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1
https://www.kb.cert.org/vuls/id/767506
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.1