Netty’s QUIC implementation, prior to 4.2.15.Final, exposes the stateless reset token in the network path when using the default HMAC‑based connection‑ID and stateless‑reset‑token generators. By reading the connection‑ID bytes in QUIC headers after a source‑CID rotation, an on‑path attacker can derive the reset token for the server’s current source connection ID. With this token the attacker can send spoofed Stateless Reset packets, causing the server to terminate the connection and resulting in a denial of service. The flaw involves the disclosure of sensitive information (CWE‑200) and the use of non‑random or weak tokens (CWE‑330).

The vulnerability affects the Netty network application framework used in Java servers and clients. Implementations of Netty 4.x that include the QUIC module prior to version 4.2.15.Final are susceptible. Any application that relies on Netty 4.2.x for QUIC communication and does not upgrade to the patched version is impacted.

The CVSS score of 4.8 indicates a moderate overall score, and the EPSS score is not available, making precise exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to be on the network path to observe QUIC headers and to send an unsolicited Stateless Reset packet, which does not require authentication with the server. Because the attacker can terminate connections, the risk is primarily a denial‑of‑service to legitimate users. Because the flaw does not grant confidentiality or integrity compromise beyond service disruption, the overall risk is moderate but should be mitigated promptly by patching.