line/armeria

GitHub

github.com

armeria.dev

Releases376

Frequency1 week 3 days

Last Release 20 days ago

Stars5.11K

Your go-to microservice framework for any situation, from the creator of Netty et al. You can build any type of microservice leveraging your favorite technologies, including gRPC, Thrift, Kotlin, Retrofit, Reactive Streams, Spring Boot and Dropwizard.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-11752 ↗	Jun 19, 2026Friday, 19 June 2026, 06:17	—	—
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
CVE-2024-1735 ↗	Feb 26, 2024Monday, 26 February 2024, 16:27	9.1 CRITICAL	—
A vulnerability has been identified in armeria-saml versions less than 1.27.2, allowing the use of malicious SAML messages to bypass authentication. All users who rely on armeria-saml older than version 1.27.2 must upgrade to 1.27.2 or later.
CVE-2023-44487 ↗	Oct 10, 2023Tuesday, 10 October 2023, 14:15	7.5 HIGH	—
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-38493 ↗	Jul 25, 2023Tuesday, 25 July 2023, 21:15	7.5 HIGH	—
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
CVE-2021-43795 ↗	Dec 2, 2021Thursday, 2 December 2021, 18:15	7.5 HIGH	5 MEDIUM
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
CVE-2019-16771 ↗	Dec 6, 2019Friday, 6 December 2019, 19:15	4.8 MEDIUM	5 MEDIUM
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.