Spring blog

All Posts
Engineering
Releases
News and Events

CVE Reports Published for Reactor Netty

News | Rossen Stoyanchev | February 27, 2020 | ...

The following CVE reports were published today:

  • CVE-2020-5403 affecting Reactor Netty HttpServer 0.9.3 and 0.9.4.
  • CVE-2020-5404 affecting Reactor Netty HttpClient for all 0.8.x and 0.9.x versions in applications where the automatic following of redirects is explicitly enabled.

The fixes are in Reactor Netty 0.9.5 and 0.8.16. If using the reactor-bom, you can upgrade to Dysprosium-SR5 or Californium-SR16.

Reactor Netty is used internally in many frameworks including Spring WebFlux and its WebClient. If you have a Spring Boot application, you can upgrade to Spring Boot 2.2.5 or 2.1.13.

Get the Spring newsletter

Thank you for your interest. Someone will get back to you shortly.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all