Spring Security Advisories

All advisories

CVE-2020-5403: DoS Via Malformed URL with Reactor Netty HTTP Server

MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403

Description

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected Spring Products and Versions

  • Reactor Netty
    • 0.9.3
    • 0.9.4

Mitigation

Users of affected versions should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5). No other steps are necessary.

  • Reactor Netty
    • 0.9.5

Credit

This issue was identified and responsibly reported by Wojciech Kuranowski.

References

History

  • 2020-02-27: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all