{"id":"GHSA-q24v-hpg3-v3jp","summary":"Reactor Netty HTTP Server denial of service vulnerability","details":"In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.","aliases":["CVE-2023-34054"],"modified":"2026-02-04T02:57:17.291193Z","published":"2023-11-28T09:30:27Z","related":["CGA-x2cw-f7rc-fw6v"],"database_specific":{"severity":"HIGH","nvd_published_at":"2023-11-28T09:15:07Z","github_reviewed_at":"2023-11-28T20:53:41Z","cwe_ids":[],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34054"},{"type":"WEB","url":"https://github.com/reactor/reactor-netty/commit/37dc8a2ef6514cd7834e75e7f3faf0b9ea044c88"},{"type":"WEB","url":"https://github.com/reactor/reactor-netty/commit/4ddbb1b9b985bb72290110ebae468a54e7f19420"},{"type":"WEB","url":"https://github.com/reactor/reactor-netty/commit/ae82154e99e6f51f4816effd135f0c3a966d6ea3"},{"type":"PACKAGE","url":"https://github.com/reactor/reactor-netty"},{"type":"WEB","url":"https://github.com/reactor/reactor-netty/releases/tag/v1.0.39"},{"type":"WEB","url":"https://github.com/reactor/reactor-netty/releases/tag/v1.1.13"},{"type":"WEB","url":"https://spring.io/security/cve-2023-34054"}],"affected":[{"package":{"name":"io.projectreactor.netty:reactor-netty-core","ecosystem":"Maven","purl":"pkg:maven/io.projectreactor.netty/reactor-netty-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.1.0"},{"fixed":"1.1.13"}]}],"versions":["1.1.0","1.1.1","1.1.10","1.1.11","1.1.12","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-q24v-hpg3-v3jp/GHSA-q24v-hpg3-v3jp.json"}},{"package":{"name":"io.projectreactor.netty:reactor-netty-core","ecosystem":"Maven","purl":"pkg:maven/io.projectreactor.netty/reactor-netty-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0"},{"fixed":"1.0.39"}]}],"versions":["1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.30","1.0.31","1.0.32","1.0.33","1.0.34","1.0.35","1.0.36","1.0.37","1.0.38","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-q24v-hpg3-v3jp/GHSA-q24v-hpg3-v3jp.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}