DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-47QP-HQVX-6R3F: GHSA-47QP-HQVX-6R3F: Remote Memory Exhaustion (Denial of Service) in JLine3 Telnet Server

#security #cve #cybersecurity #ghsa

GHSA-47QP-HQVX-6R3F: Remote Memory Exhaustion (Denial of Service) in JLine3 Telnet Server

Vulnerability ID: GHSA-47QP-HQVX-6R3F
CVSS Score: 7.5
Published: 2026-06-18

An unauthenticated remote memory exhaustion vulnerability in the JLine3 Telnet server allows attackers to crash the host Java Virtual Machine (JVM). The flaw exists in the processing of the NEW-ENVIRON option, where the server accepts an arbitrary number of environment variables without limits, storing them in an unconstrained HashMap. Sending as little as 3.25 MB of payload data can exhaust a standard JVM heap and trigger an OutOfMemoryError. This vulnerability affects applications integrating the remote-telnet module of JLine3.

TL;DR

Unauthenticated remote attackers can crash the JLine3 Telnet server via memory exhaustion by transmitting unbounded NEW-ENVIRON variables during protocol negotiation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Network (AV:N)
  • CVSS Base Score: 7.5
  • EPSS Score: Not Available
  • Impact: Denial of Service / JVM Crash
  • Exploit Status: PoC (Proof of Concept)
  • KEV Status: Not Listed

Affected Systems

  • Applications employing JLine3 Telnet server module (jline-remote-telnet)
  • jline-remote-telnet: < 4.2.1 (Fixed in: 4.2.1)

Code Analysis

Commit: 934f09e

readNEVariables() did not limit the number of environment variables a client could inject via the Telnet NEW-ENVIRON option. Add NE_VAR_COUNT_MAX (100) and abort the subnegotiation with skipToSE() when exceeded.

Mitigation Strategies

  • Upgrade dependency 'org.jline:jline-remote-telnet' to version 4.2.1 or higher.
  • Restrict TCP access to the exposed Telnet port using firewalls or ACLs to prevent external interaction.
  • Disable the remote-telnet module if it is not actively required for operations.

Remediation Steps:

  1. Identify applications containing 'org.jline:jline-remote-telnet' dependencies.
  2. Update Maven 'pom.xml' or Gradle configurations to declare JLine3 version 4.2.1 or newer.
  3. Verify the dependency tree to ensure transitive dependencies are updated.
  4. Apply firewall rules limiting Telnet access strictly to secure administrative networks.

References

Read the full report for GHSA-47QP-HQVX-6R3F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)