Netty MQTT 5 Properties Parsing Vulnerability Leading to Resource Exhaustion

A resource exhaustion vulnerability has been identified in Netty's MQTT 5 implementation, specifically in versions prior to 4.2.13.Final and 4.1.133.Final. The issue arises in the MqttDecoder component, where the Properties section of the MQTT 5 header is parsed and buffered without first applying any message size limits. This oversight allows excessively large Properties sections to be decoded, leading to high CPU and memory usage. The vulnerability exists because MqttDecoder extends ReplayingDecoder, causing Netty to repeatedly re-parse and buffer the oversized Properties until the decoding process is complete.

Impact

Exploitation of this vulnerability can result in significant resource consumption, causing high CPU and memory usage.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final to address this vulnerability.