CVE-2025-55163

Aliases:GHSA-prj3-ccx8-p6x4

Advisory lineage Upstream: 0 Downstream: 14

Downstream

DEBIAN-CVE-2025-55163 DLA-4519-1 DSA-6160-1 OPENSUSE-SU-2025:15483-1 RHSA-2025:17298 RHSA-2025:17317

Modified

Published: 13 Aug 2025, 14:17

Last modified:04 Nov 2025, 21:13

Vulnerability Summary

Overall Risk (default)

medium

43/100

CVSS Score

8.2 HIGH

v4.0 (cve.org)

EPSS Score

0.05% LOW

0% probability -0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

13 Aug 2025, 14:17

Published

Vulnerability first disclosed

04 Nov 2025, 21:13

Last Modified

Vulnerability information updated

Description

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVSS Metrics

v4.0•HIGH•Score: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
v4.0•HIGH•Score: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.05%• Percentile: 17%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

io.grpc•grpc-netty-shaded
< 1.75.0
io.netty•netty-codec-http2
≥ 4.2.0.Alpha1, < 4.2.4.Final | < 4.1.124.Final
netty•netty
< 4.1.124.Final | < 4.2.4.Final | < 4.1.124 | ≥ 4.2.0, < 4.2.4