MEDIUM · CVSS 5.3
CVE-2024-29025 — Netty HttpPostRequestDecoder DoS
Netty's multipart request decoder allocated memory without bounds, enabling DoS via crafted multipart uploads.
Affects
- Netty < 4.1.108.Final
What an attacker does
An attacker sends multipart uploads with many parts or very large header fields. Netty accumulates them in memory without a cap; service OOMs.
How to detect
Java dependency graph check — Netty pulled transitively by many frameworks.
How to fix
Upgrade Netty to 4.1.108.Final+.
How Securie catches it
Securie's Java + transitive-dep scanner covers this.