CVE-2025-55163 HIGH

CVE-2025-55163: Netty MadeYouReset HTTP/2 DDoS Vulnerability

Vendor Netty
Product netty
Weakness CWE-770 · Uncontrolled resource consumption
Published August 13, 2025
Last update November 4, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
November 4, 2025 Record updated