io.netty:netty-handler (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package io.netty:netty-handler, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2019-20445 — CVSS 9.1 (critical): HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a…
CVE-2026-44249 — CVSS 8.1 (high): Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final…
CVE-2020-11612 — CVSS 7.5 (high): The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker…
CVE-2026-45416 — CVSS 7.5 (high): Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final…
CVE-2026-50010 — CVSS 7.5 (high): Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final…
CVE-2025-24970 — CVSS 7.5 (high): Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to…
CVE-2020-7238 — CVSS 7.5 (high): Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chun…
CVE-2016-4970 — CVSS 7.5 (high): handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of…
CVE-2023-4586 — CVSS 7.4 (high): A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when…
CVE-2023-34462 — CVSS 6.5 (medium): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers…
CVE-2014-3488 — CVSS 5.0 (medium): The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted…