Hello team,

Thank you for the work on this project.

Our company runs daily scans using BlackDuck, SonarQube, OWASP etc...
And it found:

BDSA-2024-0720
High
CVSS3 Base : 7.5
CVSS3 Impact : 3.6
CVSS3 Exploitabity : 3.9

Netty Vulnerable to Denial-of-Service (DoS) via Uncontrolled Memory Allocation in 'HttpPostRequestDecoder' Component
Description
Netty is vulnerable to denial-of-service (DoS) due to insufficient restrictions on the amount of memory that is allocated in the HttpPostRequestDecoder component. An attacker could exploit this by sending maliciously crafted data in order to cause an out-of-memory (OOM) error and a denial-of-service (DoS). Note: The vendor has mentioned that any Netty based HTTP server that uses the HttpPostRequestDecoder to decode a form is impacted.
Technical Description
This vulnerability exists within the HttpPostRequestDecoder functionality in multiple files in the codec-http/src/main/java/io/netty/handler/codec/http/multipart/ directory. There are insufficient limits on the number of fields a form can have when it is decoded. An attacker could send a crafted chunked post with a number of small fields which will result in the accumulation of data in the bodyListHttpData list. This results in the decoder cumulating bytes in the undecodedChunk buffer which does not have any limits, thus, leading to a denial-of-service (DoS) condition via an out-of-memory (OOM) error. It has been mitigated by introducing limits on both bodyListHttpData and the undecodedChunk buffer. maxFields defines the maximum number of fields a form can have and maxBufferedBytes defines the maximum amount of bytes a field can cumulate. The decoder controller will handle if a limit has been reached and will throw a decoder exception in a safe manner.
Vulnerability Source
BDSA

EXPLOIT | https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

We do use HttpPostRequestDecoder, could you please help?

Just upgrade to the latest release which has the fix.