Spring Security Advisories

CVE-2023-34054: Reactor Netty HTTP Server Metrics DoS Vulnerability

MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34054


In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Affected Spring Products and Versions

  • Reactor Netty
    • 1.1.0 to 1.1.12
    • 1.0.0 to 1.0.38
    • And older unsupported versions


Users of affected versions should apply the following mitigation. 1.1.x users should upgrade to 1.1.13. 1.0.x users should upgrade to 1.0.39. No other steps are necessary.

Releases that have fixed this issue include:

  • Reactor Netty
    • 1.1.13
    • 1.0.39

As a temporary workaround, Reactor Netty 1.1.x and 1.0.x users can choose to disable Reactor Netty HTTP Server built-in integration with Micrometer.


The issue was identified and responsibly reported by James Yuzawa (https://github.com/yuzawa-san).

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all