2388252 – (CVE-2025-55163) CVE-2025-55163 netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability

Bug 2388252 (CVE-2025-55163) - CVE-2025-55163 netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability

Summary: CVE-2025-55163 netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulne...

Keywords:
Status:	NEW
Alias:	CVE-2025-55163
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2388301
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-13 15:02 UTC by OSIDB Bzimport
Modified:	2025-10-02 17:36 UTC (History)
CC List:	108 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:14197	None	None	None	2025-08-20 19:33:42 UTC
Red Hat Product Errata	RHSA-2025:14911	None	None	None	2025-08-28 18:38:53 UTC
Red Hat Product Errata	RHSA-2025:14919	None	None	None	2025-09-03 02:15:30 UTC
Red Hat Product Errata	RHSA-2025:15697	None	None	None	2025-09-11 15:17:11 UTC
Red Hat Product Errata	RHSA-2025:16407	None	None	None	2025-09-22 21:48:22 UTC
Red Hat Product Errata	RHSA-2025:17298	None	None	None	2025-10-02 14:55:31 UTC
Red Hat Product Errata	RHSA-2025:17299	None	None	None	2025-10-02 14:54:11 UTC
Red Hat Product Errata	RHSA-2025:17317	None	None	None	2025-10-02 17:36:02 UTC
Red Hat Product Errata	RHSA-2025:17318	None	None	None	2025-10-02 17:34:44 UTC

Description OSIDB Bzimport 2025-08-13 15:02:21 UTC

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Comment 2 errata-xmlrpc 2025-08-20 19:33:34 UTC

This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:14197 https://access.redhat.com/errata/RHSA-2025:14197

Comment 3 errata-xmlrpc 2025-08-28 18:38:45 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.6 for Spring Boot 3.4.9

Via RHSA-2025:14911 https://access.redhat.com/errata/RHSA-2025:14911

Comment 4 errata-xmlrpc 2025-09-03 02:15:23 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:14919 https://access.redhat.com/errata/RHSA-2025:14919

Comment 6 errata-xmlrpc 2025-09-11 15:17:03 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.2

Via RHSA-2025:15697 https://access.redhat.com/errata/RHSA-2025:15697

Comment 7 errata-xmlrpc 2025-09-22 21:48:14 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.1

Via RHSA-2025:16407 https://access.redhat.com/errata/RHSA-2025:16407

Comment 8 errata-xmlrpc 2025-10-02 14:54:04 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1.0

Via RHSA-2025:17299 https://access.redhat.com/errata/RHSA-2025:17299

Comment 9 errata-xmlrpc 2025-10-02 14:55:24 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2025:17298 https://access.redhat.com/errata/RHSA-2025:17298

Comment 10 errata-xmlrpc 2025-10-02 17:34:37 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.9

Via RHSA-2025:17318 https://access.redhat.com/errata/RHSA-2025:17318

Comment 11 errata-xmlrpc 2025-10-02 17:35:54 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:17317 https://access.redhat.com/errata/RHSA-2025:17317

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
anstephe
aprice
aschwart
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
caswilli
ccranfor
cdewolf
chfoley
clement.escoffier
cmah
dandread
darran.lofthouse
dbruscin
dhanak
dkreling
dnakabaa
dosoudil
drosa
dsimansk
eaguilar
ebaron
eric.wittmann
fjuma
fmariani
fmongiar
ggrzybek
gmalinko
gsmet
gtanzill
ibek
istudens
ivassile
iweiss
janstey
jbuscemi
jcantril
jkoehler
jmartisk
jnethert
joehler
jolong
jpechane
jpoth
jrokos
jsamir
jscholz
kaycoth
kgaikwad
kholdawa
kingland
kvanderr
kverlaen
lcouzens
lgao
lphiri
lthon
manderse
matzew
mnovotny
mosmerov
mposolda
mskarbek
msochure
msvehla
nipatil
nwallace
oezr
olubyans
pantinor
parichar
pbizzarr
pdelbell
pesilva
pgallagh
pjindal
pmackay
probinso
rguimara
rkubis
rojacob
rruss
rstancel
rstepani
rsvoboda
sausingh
sbiarozk
sdawley
smaestri
ssilvert
sthirugn
sthorger
swoodman
tasato
tcunning
tom.jenkinson
tqvarnst
vkrizan
vmuzikar
yfang