CVE-2024-9622: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.22995%
CWE
Published
10/8/2024
Updated
10/8/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jboss.resteasy:resteasy-netty4-cdi | maven | < 7.0.0.Alpha3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper state management in the HTTP decoder chain. The analysis shows that Netty's HttpObjectDecoder enters a BAD_MESSAGE state when processing malformed requests, but the surrounding RestEasyHttpRequestDecoder (which wraps Netty's decoder) does not adequately handle this state by either closing the connection or resetting the decoder. This matches the described vulnerability pattern where keep-alive connections remain in a broken state. The GitHub discussion explicitly references RestEasyHttpRequestDecoder's handling of decoder results and proposes fixes at this layer, confirming its role in the vulnerability.