GHSA-5w86-c3rq-vjj7
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length
Details
### Summary RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity.
### Details The aggregator starts a new aggregation level when it receives an ArrayHeaderRedisMessage. For positive lengths it pushes AggregateState, whose constructor runs `new ArrayList<>(length)`. No configurable maximum is applied in this handler, and the peer does not need to supply the array elements for the backing array allocation to occur.
In the same pipeline, RedisDecoder enforces RedisConstants.REDIS_MESSAGE_MAX_LENGTH for bulk string lengths but does not apply that cap to array header lengths. Declared array sizes can therefore be extremely large while still passing decoding, and the aggregator immediately attempts Object[] reservation.
io.netty.handler.codec.redis.RedisDecoder#decodeLength io.netty.handler.codec.redis.RedisArrayAggregator#decodeRedisArrayHeader
### Impact Availability / resource exhaustion via unbounded pre-allocation from untrusted RESP array headers.
Are you affected?
Enter the version of the package you're using.
Affected packages
4.2.0.Final Fixed in: 4.2.15.Final # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-codec-redis 0 Fixed in: 4.1.135.Final # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-codec-redis References
- https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-50011 [ADVISORY]
- https://github.com/netty/netty [PACKAGE]
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final [WEB]
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final [WEB]