CVE-2026-50010 - High Severity Vulnerability
Vulnerable Library - netty-handler-4.1.45.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: https://netty.io/
Path to dependency file: /owner-extras/pom.xml
Path to vulnerable library: /owner-extras/pom.xml
Dependency Hierarchy:
- curator-framework-4.3.0.jar (Root Library)
- curator-client-4.3.0.jar
- zookeeper-3.5.7.jar
- ❌ netty-handler-4.1.45.Final.jar (Vulnerable Library)
Found in HEAD commit: 12e21721ff1098fe44de120bf2737fd994f40fa6
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-50010 - High Severity Vulnerability
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /owner-extras/pom.xml
Path to vulnerable library: /owner-extras/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 12e21721ff1098fe44de120bf2737fd994f40fa6
Found in base branch: master
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with "SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)" performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-50010
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here