Skip to content

Fix CVE-2024-29025 in v4.1.100.Final #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
halimsadab wants to merge 1 commit into
base: affected_CVE-2024-29025
Choose a base branch
from
Open

Fix CVE-2024-29025 in v4.1.100.Final #1

halimsadab wants to merge 1 commit into from

Conversation

@halimsadab
Copy link
Owner

@halimsadab halimsadab commented Oct 8, 2025
edited
Loading

This PR backports the security fixes into the v4.1.100.Final branch to remediate the critical CVE-2024-29025 vulnerability. The vulnerability allows attackers to exhaust server memory by submitting unlimited small fields or a growing incomplete field, leading to resource exhaustion, degraded service, or eventual crash (OOM). These risks apply to any application accepting form or multipart HTTP uploads.

Overview of Changes

This PR modifies 4 files:

  • HttpPostMultipartRequestDecoder.java: Added input validation for maxBufferedBytes and maxFields parameters to enforce configured upper bounds during multipart form decoding. Introduced exceptions raised when these limits are exceeded to prevent unbounded memory usage. Defaults are applied if limits are not explicitly set, ensuring consistent protection.
  • HttpPostRequestDecoder.java: Implemented strict limit checks within the data offer and decode pipelines for maximum allowed form fields and buffered bytes per field. Applied sanitation of input values for these limits to avoid misconfiguration. Enhanced error handling to throw precise exceptions when bounds are breached, ensuring early termination before server resource exhaustion.
  • HttpPostStandardRequestDecoder.java: Refined enforcement of maxBufferedBytes and maxFields limits in the decoding process for standard URL-encoded POST content. Added robust checks analogous to the multipart decoder, providing uniform safety across encoding types in Netty’s HTTP POST decoder implementations.
  • HttpPostRequestDecoderTest.java: Extended and updated tests to cover the new limit enforcement logic, including cases where max field count and max buffered bytes are exceeded. Validated that the expected exceptions (TooManyFormFieldsException, TooLongFormFieldException) are thrown under attack scenarios. Included default limit configuration tests ensuring fallback protections.

Backporting these changes allows users constrained to 4.1.100.Final to benefit from the critical security safeguards introduced in 4.1.108.Final without requiring a full upgrade path.

@halimsadab halimsadab changed the title Fix CVE-2024-29025 in v4.1.100-Final Fix CVE-2024-29025 in v4.1.100.Final Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@halimsadab