{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/netty-codec-http2--4.1.132.final/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["netty-codec-http (\u003e= 4.2.0.Alpha1, \u003c= 4.2.12.Final)","netty-codec-http2 (\u003e= 4.2.0.Alpha1, \u003c= 4.2.12.Final)","netty-codec-http (\u003c= 4.1.132.Final)","netty-codec-http2 (\u003c= 4.1.132.Final)"],"_cs_severities":["medium"],"_cs_tags":["decompression-bomb","denial-of-service","netty","http"],"_cs_type":"advisory","_cs_vendors":["Netty"],"content_html":"\u003cp\u003eThe Netty framework is susceptible to a decompression bomb vulnerability in its \u003ccode\u003eHttpContentDecompressor\u003c/code\u003e and \u003ccode\u003eDelegatingDecompressorFrameListener\u003c/code\u003e components. This flaw, present in versions up to 4.2.12.Final and 4.1.132.Final, arises because the \u003ccode\u003emaxAllocation\u003c/code\u003e parameter, intended to limit decompression buffer size, is ignored when content is encoded using Brotli (\u003ccode\u003ebr\u003c/code\u003e), Zstandard (\u003ccode\u003ezstd\u003c/code\u003e), or Snappy. An attacker can exploit this by sending a specially crafted compressed payload with a \u003ccode\u003eContent-Encoding\u003c/code\u003e header set to one of the affected algorithms. This circumvents the configured memory limits, leading to excessive memory allocation and ultimately causing an out-of-memory denial-of-service (DoS) condition on the server. The vulnerability affects both HTTP/1.1 and HTTP/2 connections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Netty-based HTTP server that uses \u003ccode\u003eHttpContentDecompressor\u003c/code\u003e or \u003ccode\u003eDelegatingDecompressorFrameListener\u003c/code\u003e with a configured \u003ccode\u003emaxAllocation\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious compressed payload designed to expand dramatically upon decompression (a \u0026ldquo;decompression bomb\u0026rdquo;). For example, a small compressed file expands to gigabytes of zeros.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eContent-Encoding\u003c/code\u003e HTTP header to \u003ccode\u003ebr\u003c/code\u003e, \u003ccode\u003ezstd\u003c/code\u003e, or \u003ccode\u003esnappy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the vulnerable server, including the malicious compressed payload in the request body.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and \u003ccode\u003eHttpContentDecompressor\u003c/code\u003e or \u003ccode\u003eDelegatingDecompressorFrameListener\u003c/code\u003e processes the request, detects the \u003ccode\u003eContent-Encoding\u003c/code\u003e, and attempts to decompress it using the corresponding decoder (\u003ccode\u003eBrotliDecoder\u003c/code\u003e, \u003ccode\u003eZstdDecoder\u003c/code\u003e, or \u003ccode\u003eSnappyFrameDecoder\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBecause the \u003ccode\u003emaxAllocation\u003c/code\u003e is not enforced for these decoders, decompression proceeds without memory limits.\u003c/li\u003e\n\u003cli\u003eThe decoder allocates memory to store the decompressed data, which rapidly consumes available memory.\u003c/li\u003e\n\u003cli\u003eThe server runs out of memory, causing a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition on the targeted Netty server. This can disrupt services, cause downtime, and impact legitimate users. Organizations using affected versions of Netty are vulnerable to this attack. Developers may have a false sense of security, believing that \u003ccode\u003emaxAllocation\u003c/code\u003e protects them from all decompression bombs, but are unknowingly exposed when using brotli, zstd, or snappy encodings. A trivial header modification bypasses the intended protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Netty that addresses CVE-2026-42587.\u003c/li\u003e\n\u003cli\u003eApply the recommended fix by passing \u003ccode\u003emaxAllocation\u003c/code\u003e to all decoder constructors, including \u003ccode\u003eBrotliDecoder\u003c/code\u003e, \u003ccode\u003eSnappyFrameDecoder\u003c/code\u003e, and \u003ccode\u003eZstdDecoder\u003c/code\u003e, as outlined in the advisory.\u003c/li\u003e\n\u003cli\u003eFor \u003ccode\u003eBrotliDecoder\u003c/code\u003e and \u003ccode\u003eSnappyFrameDecoder\u003c/code\u003e, implement \u003ccode\u003emaxAllocation\u003c/code\u003e parameter with the same semantics as \u003ccode\u003eZlibDecoder.prepareDecompressBuffer()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor \u003ccode\u003eZstdDecoder\u003c/code\u003e, ensure that when \u003ccode\u003emaxAllocation\u003c/code\u003e is set, total output across all buffers is bounded.\u003c/li\u003e\n\u003cli\u003eImplement a network-level rule to limit the size of compressed requests based on \u003ccode\u003eContent-Encoding\u003c/code\u003e header and request size to mitigate potential decompression attacks even if the application is vulnerable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:46:35Z","date_published":"2026-05-07T00:46:35Z","id":"/briefs/2026-05-netty-decompression-bomb/","summary":"Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener are vulnerable to a decompression bomb denial-of-service attack because the maxAllocation parameter is not enforced when Content-Encoding is set to br (Brotli), zstd, or snappy, allowing attackers to bypass decompression limits and cause unbounded memory allocation.","title":"Netty HttpContentDecompressor Brotli/Zstd/Snappy Decompression Bomb Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-netty-decompression-bomb/"}],"language":"en","title":"CraftedSignal Threat Feed — Netty-Codec-Http2 (\u003c= 4.1.132.Final)","version":"https://jsonfeed.org/version/1.1"}