Summary
The JLine3 Telnet server (remote-telnet module) does not apply an upper bound to
terminal dimensions received via the Telnet NAWS (Negotiate About Window Size) option.
An unauthenticated remote attacker can send a NAWS subnegotiation advertising a
65535×65535 terminal and repeatedly alternate values to trigger continuous, expensive
rendering work on the server, causing CPU exhaustion and denial of service.
Details
TelnetIO.handleNAWS() (TelnetIO.java:856-879) reads the client-supplied width and
height as 16-bit unsigned integers and passes them to setTerminalGeometry():
// TelnetIO.java:869-875
private void setTerminalGeometry(int columns, int rows) {
if (columns < SMALLEST_BELIEVABLE_WIDTH) columns = DEFAULT_WIDTH; // lower bound only
if (rows < SMALLEST_BELIEVABLE_HEIGHT) rows = DEFAULT_HEIGHT;
connectionData.setTerminalGeometry(columns, rows);
connection.processConnectionEvent(
new ConnectionEvent(connection, ConnectionEvent.Type.CONNECTION_TERMINAL_GEOMETRY_CHANGED));
}
Only a lower bound is enforced (minimum 20 columns / 6 rows). Values up to 65535 are
accepted and stored. The geometry change event propagates to Telnet.java:153-158 where
it calls:
terminal.setSize(new Size(65535, 65535));
terminal.raise(Signal.WINCH);
The WINCH signal triggers LineReaderImpl.handleSignal() → redisplay(). Insideredisplay(), multiple paths iterate up to size.getColumns() times:
freshLine()(LineReaderImpl.java:937,953): loopssize.getColumns()-1= 65534
iterations, building and writing a space-padding string across the network socket.columnSplitLength(terminal, size.getColumns(), ...): called multiple times,
each processing all characters against the 65535-wide line width.
Because WINCH only fires on change, the attacker alternates between two large values
(e.g., 65535 and 65534) to trigger an unlimited stream of expensive render cycles.
No authentication is required; the NAWS option is negotiated before any login sequence.
Affected source files:
remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.javalines 856-879remote-telnet/src/main/java/org/jline/builtins/telnet/Telnet.javalines 140-175reader/src/main/java/org/jline/reader/impl/LineReaderImpl.javalines 929-962, 1293-1313
PoC
Send the following two raw Telnet packets in a loop to a running JLine Telnet server.
No login or authentication is required.
Packet 1, NAWS 65535 × 65535:
FF FA 1F FF FF FF FF FF F0
(IAC SB NAWS 0xFF 0xFF 0xFF 0xFF IAC SE)
Packet 2, NAWS 65534 × 65534:
FF FA 1F FF FE FF FE FF F0
(IAC SB NAWS 0xFF 0xFE 0xFF 0xFE IAC SE)
Sending these alternately at ~10 packets/second is sufficient to peg one CPU core on
the server. The server remains in this state for as long as the connection is open.
Reproduction environment:
- JLine3 built from current master on x86_64 Linux, OpenJDK 25.0.2
remote-telnetmodule started with its defaultTelnetserver configuration- Test confirmed by source-code analysis and tracing the call chain at runtime
Credits
This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
Impact
Type: Denial of Service (CPU exhaustion)
Who is affected: Any application that embeds the JLine3 remote-telnet module and
exposes its Telnet server on a network interface. The attacker requires no credentials.
A single connection making ~10 alternating NAWS packets per second fully occupies the
connection-handling thread and produces continuous I/O on the server's output stream.
Because connection threads are re-used for the life of the session, one attacker per
available connection slot can deny service to all users of that slot.
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
GHSA-2R2C-CX56-8933 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.2.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-2R2C-CX56-8933? GHSA-2R2C-CX56-8933 is a high-severity uncontrolled resource consumption vulnerability in org.jline:jline-remote-telnet (maven), affecting versions < 4.2.1. It is fixed in 4.2.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is GHSA-2R2C-CX56-8933? GHSA-2R2C-CX56-8933 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of org.jline:jline-remote-telnet are affected by GHSA-2R2C-CX56-8933? org.jline:jline-remote-telnet (maven) versions < 4.2.1 is affected.
- Is there a fix for GHSA-2R2C-CX56-8933? Yes. GHSA-2R2C-CX56-8933 is fixed in 4.2.1. Upgrade to this version or later.
- Is GHSA-2R2C-CX56-8933 exploitable, and should I be worried? Whether GHSA-2R2C-CX56-8933 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-2R2C-CX56-8933 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-2R2C-CX56-8933? Upgrade
org.jline:jline-remote-telnetto 4.2.1 or later.