ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23578 more potentially affected by CVE-2026-33870 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.131.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23578 more potentially affected by CVE-2026-33870 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.131.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

Security Bulletin: IBM SPSS Analytic Server is affected by CRLF injection vulnerability in Netty Codec (CVE-2025-67735)

Summary IBM SPSS Analytic Server is affected by CRLF injection vulnerability in Netty Codec CVE-2025-67735. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions...

Security Bulletin: There is a vulnerability in netty-codec-http-4.1.126.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite ( CVE-2025-67735)

Summary There is a vulnerability in netty-codec-http-4.1.126.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to...

Security Bulletin: Vulnerabilities in netty-codec-4.1.124.Final.jar, netty-codec-http-4.1.108.Final.jar, netty-codec-http2-4.1.124.Final.jar affecting MongoDB Enterprised Advanced (CVE-2025-58056, CVE-2025-58057, CVE-2025-67735)

Summary There are vulnerabilities in netty-codec-4.1.124.Final.jar, netty-codec-http-4.1.108.Final.jar, netty-codec-http2-4.1.124.Final.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-58056, CVE-2025-58057, CVE-2025-67735. The vulnerabilities have been addressed. Vulnerabilit...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-4.1.100.Final.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-4.1.100.Final.jar Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...

CRLF Injection

io.netty, netty-codec-http is vulnerable to CRLF Injection. The vulnerability is due to improper sanitization of the request URI in HttpRequestEncoder, which allows an attacker to inject CRLF sequences and smuggle malicious HTTP requests...

CRLF Injection

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks...

ai.catboost:catboost-spark_4.1_2.13 (=1.2.10), ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0) +4101 more potentially affected by CVE-2025-67735 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.7.Final)

io.netty:netty-codec-http MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-67735 Source advisory: SNYK:JAVA-IONETTY-14423947...

ai.catboost:catboost-spark_4.1_2.13 (=1.2.10), ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0) +4101 more potentially affected by CVE-2025-67735 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.7.Final)

io.netty:netty-codec-http MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-67735 Source advisory: OSV:GHSA-84H7-RJJ3-6JX4...

ai.ancf.lmos-router:benchmarks (>=0.2.0 <=0.28.0), ai.ancf.lmos-router:lmos-router-hybrid (>=0.2.0 <=0.28.0) +22650 more potentially affected by CVE-2025-67735 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.128.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.6.0 - ai.ancf.lmos:lmos-router-hybrid =0.1.0 - ai.ancf.lmos:lmos-router-hybrid-spring-boot-starter =0.1.0 - ai.ancf.lmos:lmos-router-llm =0.1.0 -...

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.1, 10.2.0 of Bamboo Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of: code:java...

Security Bulletin: Netty Affected by Decompression Flaw Where BrotliDecoder Allocates Unlimited Buffers, Enabling DoS, affects watsonx.data

Summary Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "form-data 4.0.0, org.apache.cxfcxf-core 3.6.7 , net/http/internal v1.24.1, braces 3.0.2 , cross-spawn 7.0.3 , crypto/x509 1.24.1 1.24.3 , github.com/golang-jwt/jwt/v4 github.com/golang-jwt/jwt/v5 v4.5.0 v5.2.1 , httpd 2.4.37 , setuptools 78.0.2 75.8.0 ,...

netty-codec: netty-codec-compression: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service...

Security Bulletin: Due to use of netty-codec, IBM Sterling Connect:Direct Web Services is affected by denial of service.

Summary Netty-codec is used by IBM Sterling Connect:Direct Web Services CVE-2025-58057. Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In...

ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +2219 more potentially affected by CVE-2025-59419 via io.netty:netty-codec-smtp (>=4.1.100.Final <=4.1.127.Final)

io.netty:netty-codec-smtp MAVEN version =4.1.100.Final, =0.0.86, =0.0.86, =0.0.1, =2.0.24, =1.1.9, =0.3.36, =1.9.0, =2.0.0, =2.4.0, =2.4.0, =0.0.15, =4.0.0, =1.0.3, =1.1.2 and more Source cves: CVE-2025-59419 Source advisory: OSV:GHSA-JQ43-27X9-3V86...

ai.spice:spiceai (=0.6.0), cn.hserver:hserver (=3.7.0) +513 more potentially affected by CVE-2025-59419 via io.netty:netty-codec-smtp (>=4.2.0.Alpha1 <=4.2.6.Final)

io.netty:netty-codec-smtp MAVEN version =4.2.0.Alpha1, =4.2.6.Final is affected by a known vulnerability. The following packages have a transitive dependency on io.netty:netty-codec-smtp and may be impacted: - ai.spice:spiceai =0.6.0 - cn.hserver:hserver =3.7.0 - cn.hserver:hserver-netty-web...

ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +2219 more potentially affected by CVE-2025-59419 via io.netty:netty-codec-smtp (>=4.1.100.Final <=4.1.127.Final)

io.netty:netty-codec-smtp MAVEN version =4.1.100.Final, =0.0.86, =0.0.86, =0.0.1, =2.0.24, =1.1.9, =0.3.36, =1.9.0, =2.0.0, =2.4.0, =2.4.0, =0.0.15, =4.0.0, =1.0.3, =1.1.2 and more Source cves: CVE-2025-59419 Source advisory: SNYK:JAVA-IONETTY-13560334...

netty-codec: netty-codec-compression: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service...