Spring Security Advisories

CVE-2019-16869: Reactor Netty Consumes a Vulnerable Version of Netty

HIGH | OCTOBER 28, 2019 | CVE-2019-16869


Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty (versions prior to 4.1.42), which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks.

Affected Spring Products and Versions




  • 2019-10-28: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all