All Netty CVEs — Complete Vulnerability History
Netty is the most widely-used Java async networking framework — underlying Spring WebFlux, gRPC, Cassandra, and Elasticsearch. CVE-2023-44487 (HTTP/2 Rapid Reset) is on CISA KEV.
Java/Maven
Millions weekly downloads
5 CVEs total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-20444 | 2019 | CRITICAL | HTTP request smuggling via whitespace | Fixed 4.1.44.Final |
| CVE-2021-37136 | 2021 | HIGH | DoS via compression bomb in Brotli decompressor | Fixed 4.1.68.Final |
| CVE-2021-37137 | 2021 | HIGH | DoS via compression bomb in Snappy decompressor | Fixed 4.1.68.Final |
| CVE-2022-41881 | 2022 | HIGH | DoS via StackOverflow in HaProxyMessageDecoder | Fixed 4.1.86.Final |
| CVE-2023-44487 | 2023 | 🔴HIGH | HTTP/2 Rapid Reset DoS — CISA KEV | Fixed 4.1.100.Final |
Current safe version: 4.1.108.Final
# Before
"netty.version>4.1.77.Final# After"netty.version>4.1.108.FinalThen run:
mvn dependency:resolvePaste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Do Spring Boot apps use Netty?Spring Boot uses Netty when you use the reactive web stack (spring-boot-starter-webflux). Traditional Spring MVC uses embedded Tomcat instead. Check your spring-boot-starter dependency.How do I know what Netty version I'm using?Run mvn dependency:tree | grep netty to see all Netty artifacts and their resolved versions. Or paste your pom.xml into PackageFix.Related