Vulnerability DatabaseCVE-2024-29025

CVE-2024-29025:
Java vulnerability analysis and mitigation

Overview

The HttpPostRequestDecoder in Netty, an asynchronous event-driven network application framework, contains a vulnerability (CVE-2024-29025) that allows accumulation of data without proper limits. The vulnerability was discovered in versions prior to 4.1.108.Final and disclosed on March 25, 2024. The issue affects the decoder's handling of form data, where it can be exploited through two attack vectors: unlimited field accumulation in the bodyListHttpData list and unbounded data accumulation in the undecodedChunk buffer (GitHub Advisory).

Technical details

The vulnerability stems from the HttpPostRequestDecoder's lack of hard limits for both the number of fields a form can have and the number of accumulated bytes. An attacker can exploit this by sending a chunked POST request with many small fields that accumulate in the bodyListHttpData list. Additionally, the decoder accumulates bytes in the undecodedChunk buffer until it can decode a field, without any size restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

Impact

The vulnerability can lead to a denial of service through resource exhaustion. When exploited, it affects any Netty-based HTTP server that uses the HttpPostRequestDecoder to decode form data. The impact is primarily on system availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Netty version 4.1.108.Final. The fix implements hard limits for both maxFields (defining the maximum number of fields the form can have) and maxBufferedBytes (defining the maximum number of bytes a field can accumulate). When a limit is reached, a decoder exception is thrown (GitHub Commit).

Community reactions

Various organizations have responded to this vulnerability. Red Hat has included fixes in their security advisories RHSA-2024:4028 and RHSA-2024:6536. Debian has also addressed the vulnerability in their Long Term Support (LTS) advisory DLA-3834-1, providing patches for affected versions (Debian LTS).

Additional resources

Source: This report was generated using AI

5.3

Score

Published March 25, 2024

Severity MEDIUM

CNA Score 5.3

Affected Technologies

Java
Neo4j

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 17.6

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

spark-3.5-scala-2.13
stargate

Sources

NVD
Chainguard
- Chainguard Has FixAdded at: Apr 09, 2024
Debian Security Tracker
- Debian 10, 13 Severity MEDIUMHas FixAdded at: Mar 27, 2024
- Debian 11, 12 Severity MEDIUMNo FixAdded at: Mar 27, 2024
GitHub Advisory Database
- Maven Severity MEDIUMHas FixAdded at: Mar 27, 2024
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04, 24.10 Severity MEDIUMHas FixAdded at: Feb 24, 2025
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025
Wolfi
- Wolfi Has FixAdded at: Apr 09, 2024