MEDIUM · CVSS 5.3
CVE-2024-29025 — Netty HttpPostRequestDecoder DoS
Netty's multipart request decoder allocated memory without bounds, enabling DoS via crafted multipart uploads.
Affects
- Netty < 4.1.108.Final
What an attacker does
An attacker sends multipart uploads with many parts or very large header fields. Netty accumulates them in memory without a cap; service OOMs.
How to detect
Java dependency graph check — Netty pulled transitively by many frameworks.
How to fix
Upgrade Netty to 4.1.108.Final+.
Securie findingmedium · CVSS 5.3
CVE-2024-29025How Securie catches CVE-2024-29025
Securie's Java + transitive-dependency specialist covers this.
Scan my repo for CVE-2024-29025 →Securie reviews every PR · proves real issues · opens verified fix PRs