DDoS Vulnerability in Netty Framework
CVE-2025-55163

8.2HIGH

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-55163?

CVE-2025-55163 is a significant vulnerability within the Netty framework, which is an asynchronous and event-driven network application framework widely used for developing high-performance network applications. This vulnerability is classified as a logical flaw in the HTTP/2 protocol, specifically related to the abnormal handling of HTTP/2 control frames. It allows attackers to exploit the maximum concurrent streams limit, leading to resource exhaustion and subsequently causing a distributed denial of service (DDoS). The risk presented by this vulnerability could severely impact organizations relying on the Netty framework, potentially resulting in service disruptions, financial losses, and diminished trust from users due to downtime.

The vulnerability affects versions prior to 4.1.124.Final and 4.2.4.Final, which means that any deployment using these versions is at risk. This issue emphasizes the critical need for organizations to keep their software dependencies up-to-date and to apply security patches promptly to defend against possible service interruptions and performance degradation.

Potential impact of CVE-2025-55163

Service Disruption: By exploiting the vulnerability, attackers can overwhelm the server by exceeding the maximum concurrent streams limit, leading to significant service outages. This affects not only the application performance but also the user experience, causing frustration and potential loss of customer trust.
Financial Loss: Organizations may incur substantial financial implications due to downtime and service interruptions. In addition to direct revenue loss during the outage, businesses could also face costs related to recovery efforts, potential legal liabilities, and damage to their reputation.
Resource Exhaustion: The ability of attackers to deplete server resources can hinder other legitimate operations and processes. This could lead to cascading failures in related systems and services, potentially impacting a broader range of infrastructure and operational capabilities within an organization.

Affected Version(s)

netty < 4.1.124.Final < 4.1.124.Final

netty < 4.2.4.Final < 4.2.4.Final

References

https://github.com/netty/netty/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Aug 7, 2025