CVE-2024-9622 is a vulnerability identified in the resteasy-netty4 library, which is a component used for handling HTTP requests in Java-based applications leveraging the Netty framework. The root cause is an inconsistent interpretation of HTTP requests when an attacker sends a specially crafted HTTP request containing ASCII control characters designed to exploit HTTP request smuggling techniques. When such a request is processed, the Netty HttpObjectDecoder transitions into a BAD_MESSAGE state, effectively marking the connection as corrupted. Consequently, any subsequent legitimate HTTP requests sent over the same persistent connection are ignored, causing client-side timeouts and denial of service conditions. This behavior can disrupt communication between clients and servers, especially in environments using load balancers or reverse proxies that maintain persistent HTTP connections to backend services. The vulnerability does not allow for data leakage or modification but impacts the availability of services. The CVSS 3.1 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of CVE-2024-9622 is a denial of service condition caused by the disruption of HTTP request processing on affected systems. Organizations relying on resteasy-netty4 for HTTP request handling, especially those using load balancers or reverse proxies that maintain persistent connections, may experience client timeouts and degraded service availability. This can lead to reduced reliability of web applications, potential loss of customer trust, and operational disruptions. While the vulnerability does not compromise confidentiality or integrity, the availability impact can be significant for high-traffic or critical services. Attackers can exploit this remotely without authentication, increasing the risk of widespread disruption. Enterprises with microservices architectures or API gateways using Netty-based HTTP servers are particularly at risk. The lack of known exploits in the wild currently limits immediate threat but does not reduce the urgency of mitigation.

To mitigate CVE-2024-9622, organizations should first monitor for updates or patches from the resteasy-netty4 maintainers and apply them promptly once available. In the absence of official patches, consider implementing network-level protections such as Web Application Firewalls (WAFs) configured to detect and block HTTP requests containing suspicious ASCII control characters or malformed headers indicative of request smuggling attempts. Additionally, configure load balancers and reverse proxies to limit or disable HTTP persistent connections where feasible, forcing new connections per request to avoid state corruption. Employ strict input validation and sanitization on incoming HTTP requests to reject malformed or suspicious payloads early. Logging and monitoring for unusual HTTP connection resets or client timeouts can help detect exploitation attempts. Finally, review and update incident response plans to include scenarios involving HTTP request smuggling and denial of service conditions.