An unauthenticated remote attacker can trigger a denial-of-service condition in Netty by exploiting improper memory pre-allocation in the RedisArrayAggregator.

The RedisArrayAggregator pre-allocates an ArrayList based on a value declared in a RESP array header. An unauthenticated attacker can provide a malicious header with a high capacity value, forcing the system to consume excessive memory.

The CVSS score of 7.5 (High) reflects the ease with which this vulnerability can be used to cause an application crash. For businesses relying on Redis integration via Netty, this represents a significant risk of service interruption and potential data availability loss.

Immediate Action: Update to Netty versions 4.1.135.Final or 4.2.15.Final to implement proper validation of array header values.

Proactive Monitoring: Monitor for anomalous memory usage in applications handling Redis protocols, specifically looking for spikes during the initial stages of connection handshakes.

Compensating Controls: Implement strict input validation at the application level to reject RESP headers that specify unrealistic array sizes before they reach the Netty aggregator.

Public Exploit Available: false

Immediate patching is recommended to prevent resource exhaustion attacks. Organizations should verify their current version of Netty and perform the necessary upgrades to ensure the integrity of their Redis-connected services.