5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-9622

GHSA ID

GHSA-5wpr-cj9p-959r

EPSS Score

0.22995%

CWE

CWE-444

Published

10/8/2024

Updated

10/8/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-9622

CVE-2024-9622: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-9622

GHSA ID

GHSA-5wpr-cj9p-959r

EPSS Score

0.22995%

CWE

CWE-444

Published

10/8/2024

Updated

10/8/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jboss.resteasy:resteasy-netty4-cdi	maven	< 7.0.0.Alpha3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper state management in the HTTP decoder chain. The analysis shows that Netty's HttpObjectDecoder enters a BAD_MESSAGE state when processing malformed requests, but the surrounding RestEasyHttpRequestDecoder (which wraps Netty's decoder) does not adequately handle this state by either closing the connection or resetting the decoder. This matches the described vulnerability pattern where keep-alive connections remain in a broken state. The GitHub discussion explicitly references RestEasyHttpRequestDecoder's handling of decoder results and proposes fixes at this layer, confirming its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in t** r*st**sy-n*tty* li*r*ry *risin* *rom improp*r **n*lin* o* *TTP r*qu*sts usin* smu**lin* t***niqu*s. W**n *n *TTP smu**lin* r*qu*st wit* *n *S*II *ontrol ***r**t*r is s*nt, it **us*s t** N*tty *ttpO*j**t***o**r to tr*n

Reasoning

T** vuln*r**ility st*ms *rom improp*r st*t* m*n***m*nt in t** `*TTP` ***o**r ***in. T** *n*lysis s*ows t**t N*tty's `*ttpO*j**t***o**r` *nt*rs * `***_M*SS***` st*t* w**n pro**ssin* m*l*orm** r*qu*sts, *ut t** surroun*in* `R*st**sy*ttpR*qu*st***o**r`

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-9622: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI