Description
Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This vulnerability is fixed in 0.0.71.Final.
Scores
CVSS v3
5.3
EPSS
0.0049
EPSS Percentile
65.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-407
Status
published
Products (2)
io.netty.incubator/netty-incubator-codec-quic
0 - 0.0.71.FinalMaven
netty/netty-incubator-codec-quic
< 0.0.71.Final
Published
Mar 31, 2025
Tracked Since
Feb 18, 2026