Summary
The JLine3 Telnet server (remote-telnet module) does not limit the number of
environment variables a client may inject via the Telnet NEW-ENVIRON option. An
unauthenticated attacker can flood the server with a large number of unique
variable pairs before sending the terminating IAC SE byte, exhausting JVM heap
memory and causing an OutOfMemoryError (denial of service). Approximately 3–4 MB of
network traffic is sufficient to consume a 512 MB JVM heap.
Details
TelnetIO.readNEVariables() (TelnetIO.java:1127-1180) processes incoming NEW-ENVIRON
variable pairs in a loop and stores each pair in a HashMap held by ConnectionData:
// TelnetIO.java:1139-1178
boolean cont = true;
if (i == NE_VAR || i == NE_USERVAR) {
do {
switch (readNEVariableName(sbuf)) {
case NE_VAR_OK:
TelnetIO.this.connectionData.getEnvironment().put(str, sbuf.toString());
// ← no per-connection count limit
break;
case NE_VAR_UNDEFINED:
break; // cont remains true, loop continues
}
} while (cont); // cont is never set to false; only exits via return
}
The variable accumulator map is a plain HashMap initialized with capacity 20 and
no maximum size:
// ConnectionData.java:98
environment = new HashMap<String, String>(20);
Per-variable limits exist (name: max 50 chars, value: max 1000 chars), but there is no
cap on the count of variables. Each map entry occupies approximately 2 KB of heap
(String headers + Map.Entry + backing char arrays). On a JVM with a 512 MB heap,
approximately 250,000 unique entries trigger an OutOfMemoryError.
Network cost: using sequential 1-byte names (e.g., \x01, \x02, ...) and 1-byte
values, each variable pair requires roughly 13 protocol bytes. Sending 250,000 pairs
requires only ~3.25 MB of network traffic, feasible in seconds over any reasonable
network connection.
No authentication is required. NEW-ENVIRON negotiation occurs before login.
Affected source files:
remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.javalines 1127-1180remote-telnet/src/main/java/org/jline/builtins/telnet/ConnectionData.javaline 98
PoC
Connect to the JLine3 Telnet server and, after completing WILL/DO option negotiation,
send a NEW-ENVIRON SEND subneg followed by a single large IS subneg containing
thousands of unique variable pairs before the final IAC SE.
Protocol structure (no authentication required):
- Standard Telnet option negotiation (IAC DO NEW-ENVIRON, IAC WILL NEW-ENVIRON)
- Server sends IAC SB NEW-ENVIRON SEND IAC SE
- Client responds with: IAC SB NEW-ENVIRON IS
[NE_VAR 0x01 NE_VALUE 0x01] ← variable pair 1
[NE_VAR 0x02 NE_VALUE 0x01] ← variable pair 2
... repeated N times ...
IAC SE ← only sent after N pairs
Each iteration adds one entry to the per-connection environment map. The connection
thread blocks reading from the socket while accumulating pairs, so the attacker
controls the timing of the OOM.
Reproduction environment:
- JLine3 built from current master on x86_64 Linux, OpenJDK 25.0.2
remote-telnetmodule started with its default configuration- Confirmed by source-code analysis; loop exit condition and missing count guard
verified by inspection ofreadNEVariables()andConnectionDataconstructor
Credits
This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
Impact
Type: Denial of Service (heap memory exhaustion / OutOfMemoryError)
Who is affected: Any application embedding the JLine3 remote-telnet module and
exposing its Telnet server. No credentials are required. A single connection can exhaust
the entire JVM heap, crashing the host process or triggering JVM out-of-memory
handling that impacts all users sharing that JVM instance.
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
GHSA-47QP-HQVX-6R3F has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.2.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-47QP-HQVX-6R3F? GHSA-47QP-HQVX-6R3F is a high-severity uncontrolled resource consumption vulnerability in org.jline:jline-remote-telnet (maven), affecting versions < 4.2.1. It is fixed in 4.2.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is GHSA-47QP-HQVX-6R3F? GHSA-47QP-HQVX-6R3F has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of org.jline:jline-remote-telnet are affected by GHSA-47QP-HQVX-6R3F? org.jline:jline-remote-telnet (maven) versions < 4.2.1 is affected.
- Is there a fix for GHSA-47QP-HQVX-6R3F? Yes. GHSA-47QP-HQVX-6R3F is fixed in 4.2.1. Upgrade to this version or later.
- Is GHSA-47QP-HQVX-6R3F exploitable, and should I be worried? Whether GHSA-47QP-HQVX-6R3F is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-47QP-HQVX-6R3F is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-47QP-HQVX-6R3F? Upgrade
org.jline:jline-remote-telnetto 4.2.1 or later.