Impact
Netty’s RedisDecoder can consume unlimited direct memory when it receives multiple Redis payloads that omit the required CRLF terminator. The unchecked allocation results in an OutOfDirectMemoryError, which stops the application from handling any further connections and effectively disables the service for legitimate users. The vulnerability allows an attacker to trigger this failure by sending crafted messages, leading to a denial‑of‑service condition.
Affected Systems
All instances of Netty that use netty-codec-redis versions prior to 4.1.135.Final and 4.2.15.Final. Applications, servers, or services that embed these older Netty releases are at risk.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity; the EPSS score is below 1%, indicating a very low exploitation probability and suggesting the vulnerability is rarely or not yet exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog, further implying limited real-world exploitation. Based on the description, it is inferred that an attacker could exploit the flaw remotely by sending malicious Redis payloads over the network to any publicly reachable Netty endpoint that processes Redis commands when the RedisDecoder is used.
OpenCVE Enrichment
Github GHSA