Listen to this Post
The vulnerability resides in MqttDecoder, specifically when parsing the Properties section of an MQTT 5 header. The `decodeVariableHeader()` method is invoked before Netty applies the `maxBytesInMessage` limit, meaning no size check is performed on the variable header or its properties. The `decodeVariableHeader()` then calls decodeProperties(), which processes the entire Properties section without any constraints on its size. Furthermore, because `MqttDecoder` extends ReplayingDecoder, Netty does not just read the oversized Properties section once. The decoder’s state machine repeatedly re-parses the enormous data, buffering the bytes in memory until it can be fully processed. This results in an uncontrolled resource consumption in both CPU and memory, leading to a complete denial of service for the Netty server. A remote attacker can send a single, specially crafted MQTT message with an excessively large Properties section to trigger this exhaustion without authentication.
dailycve form
Platform: Netty
Version: <=4.1.132.Final,4.2.0.Alpha1-4.2.12.Final
Vulnerability : Resource exhaustion
Severity: Moderate
date: May 7, 2026
Prediction: May 7, 2026
Analytics under What Undercode Say:
Check Netty version in your project (Maven example) mvn dependency:tree | grep netty-codec-mqtt Scan for vulnerable versions using grep grep -r "netty-codec-mqtt" pom.xml Simulate a malicious MQTT packet (conceptual) echo -n "MQTT Packet with oversized Properties section" | nc -u target_host 1883
Exploit
An unauthenticated, remote attacker sends a single MQTT 5 CONNECT packet containing a Properties field with thousands or millions of bytes. Because size limits are applied after the variable header is parsed, Netty’s `MqttDecoder` will repeatedly process the huge payload, consuming all available CPU cores and filling the JVM heap with repeated copies of the data.
Protection from this CVE
Upgrade `io.netty:netty-codec-mqtt` to patched versions `4.1.133.Final` or 4.2.13.Final. If an immediate upgrade is not possible, set the Netty channel option `MAX_MESSAGES_PER_READ` to a low value (e.g., 1) to limit the number of parsed messages per event loop tick, reducing the impact of a single oversized packet.
Impact
Denial of service (DoS). An attacker can crash the Netty server or render it unresponsive with a single small network packet, affecting all connected clients and any services relying on the Netty MQTT handler. No authentication or prior access is needed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
