Spring Security Advisories

CVE-2020-5403: DoS Via Malformed URL with Reactor Netty HTTP Server

MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403


Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected Spring Products and Versions

  • Reactor Netty
    • 0.9.3
    • 0.9.4


Users of affected versions should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5). No other steps are necessary.

  • Reactor Netty
    • 0.9.5


This issue was identified and responsibly reported by Wojciech Kuranowski.


  • 2020-02-27: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all