In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Affected Packages

Maven io.projectreactor.netty:reactor-netty-core

Affected versions: 1.1.0 (fixed in 1.1.13)

Maven io.projectreactor.netty:reactor-netty-core

Affected versions: 1.0.0 (fixed in 1.0.39)

Related CVEs

CVE-2023-34054

Key Information

GHSA ID

GHSA-q24v-hpg3-v3jp

Published

November 28, 2023 9:30 AM

Last Modified

June 28, 2024 12:49 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.projectreactor.netty:reactor-netty-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.