Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Maven

GHSA-269q-hmxg-m83q

MEDIUM

Local Information Disclosure Vulnerability in io.netty:netty-codec-http

Also known asCVE-2022-24823
Published
May 10, 2022
Updated
Feb 4, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
2 known

EPSS Exploitation Probability

via FIRST.org ↗
1.0%probability of exploitation in next 30 days
Lower Risk59th percentile+0.63%
0.00%0.51%1.02%1.53%0.3%1.0%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
io.netty:netty-codec-http

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Description

GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.

Impact

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

Vulnerability Details

To fix the vulnerability the code was changed to the following:

    @SuppressJava6Requirement(reason = "Guarded by version check")
    public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
        if (javaVersion() >= 7) {
            if (directory == null) {
                return Files.createTempFile(prefix, suffix).toFile();
            }
            return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
        }
        if (directory == null) {
            return File.createTempFile(prefix, suffix);
        }
        File file = File.createTempFile(prefix, suffix, directory);
        // Try to adjust the perms, if this fails there is not much else we can do...
        file.setReadable(false, false);
        file.setReadable(true, true);
        return file;
    }

Unfortunately, this logic path was left vulnerable:

        if (directory == null) {
            return File.createTempFile(prefix, suffix);
        }

This file is still readable by all local users.

Patches

Update to 4.1.77.Final

Workarounds

Specify your own java.io.tmpdir when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user or update to Java 7 or above.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in netty

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
Mavenio.netty:netty-codec-httpall versions4.1.77.Final
Exploits & PoCs
2

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Netty is an open-source, asynchronous event-driven network application f…

github.comNVDMay 2022

Netty is an open-source, asynchronous event-driven network application f…

github.comNVDMay 2022

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.netty:netty-codec-http. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update io.netty:netty-codec-http to 4.1.77.Final or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-269q-hmxg-m83q is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-269q-hmxg-m83q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-269q-hmxg-m83q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified. ### Impact ### When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the sys
O3 Security · Impact-Aware SCA

Is GHSA-269q-hmxg-m83q in your dependencies?

O3 detects GHSA-269q-hmxg-m83q across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works