Netty is a network application framework that, in versions before 4.1.135.Final and 4.2.15.Final, does not validate the bailiwick of CNAME records returned in DNS responses. This weakness, identified as CWE-345, allows an attacker to supply malicious CNAME responses that are accepted as legitimate, leading to DNS cache poisoning of the Netty resolver. An attacker that can influence the DNS response for the domain queried by a Netty application could redirect traffic, perform man‑in‑the‑middle attacks, or otherwise subvert the application's network connections.

The affected products are the Netty framework from the Netty project. All versions released before 4.1.135.Final and before 4.2.15.Final are vulnerable; the vulnerability is fixed starting with those two releases. Systems running an older Netty client or server that performs DNS resolution via DnsResolveContext are at risk.

The CVSS score of 8.7 indicates a high severity impact. The EPSS score is less than 1%, implying a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can inject a forged DNS response for a resolution requested by a Netty application, typically by controlling the DNS server or by victim’s local network environment. Once the malicious CNAME record is cached, any subsequent DNS queries from the vulnerable Netty instance will resolve to the attacker controlled target, enabling potential traffic hijacking or deception.