CVE-2015-2156

HIGH

Netty Cookie HttpOnly Flag Bypass via Improper Input Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-2156. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only the source code of the vulnerable Netty library (version 3.x) without any exploit code or technical analysis. It appears to be a placeholder or reference for the vulnerable software itself.

Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2015-2156-netty-vulnerable

The repository contains only the source code of the vulnerable Netty library (version 3.x) without any exploit code or technical analysis. It appears to be a placeholder or reference for the vulnerable software itself.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Netty 3.x
No auth needed
Prerequisites: None
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2015-2156-netty-vulnerable

The repository contains only partial source code files from the Netty library, specifically the Bootstrap and ChannelBuffer classes, but lacks any exploit code or proof-of-concept demonstrating CVE-2015-2156. No malicious or functional exploit logic is present.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Netty (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory x_refsource_confirm
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
Third Party Advisory x_refsource_confirm
https://github.com/netty/netty/pull/3754
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74704
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/17/1
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1222923

Scores

CVSS v3 7.5
EPSS 0.0327
EPSS Percentile 87.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-20
Status published
Products (35)
io.netty/netty 3.10.0 - 3.10.3.FinalMaven
io.netty/netty-parent 4.0.0 - 4.0.28.FinalMaven
lightbend/play_framework 2.0 rc3 (3 CPE variants)
lightbend/play_framework 2.0.2 (3 CPE variants)
lightbend/play_framework 2.0.3 (3 CPE variants)
lightbend/play_framework 2.0.4 (3 CPE variants)
lightbend/play_framework 2.0.5 (3 CPE variants)
lightbend/play_framework 2.0.6
lightbend/play_framework 2.0.7
lightbend/play_framework 2.0.8
... and 25 more
Published Oct 18, 2017
Tracked Since Feb 18, 2026