Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
- When
- Where
- Global (internet)
- Category
- cyber_advisory · maven
### Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. ### Details There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. According to[ the RFC](https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings): “This advisory setting informs a peer of the maximum field section size that the sender is prepared to accept, in units of octets.” When a client sends that setting to Netty, it appears that Netty will behave as follows: - Read the request - Proxy the request to the origin - Attempt to produce a response - Create an exception while writing the headers for the response Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. ## Remediation When speaking with clients, Netty should potentially treat this as “advisory” and ignore it. It would be best to ignore the SETTINGS_MAX_HEADER_LIST_SIZE setting from clients (or ignore it when sending to clients). According to the spec, a server does not need to honor this advisory setting, and it appears that other http/2 implementations ignore it when acting as a server. ### Impact This is a DDoS attack similar to the HTTP/2 Rapid Reset Attack. ## Credit Jonathan Looney (Engineering, Netflix) ## Contact Ashley Tolbert (Security, Netflix) - artolbert@netflix.com
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-15 20:46 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.