{"uuid": "e1d42140-3982-4ffb-a343-784f52a2cc1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-47qp-hqvx-6r3f", "type": "seen", "source": "https://gist.github.com/alon710/adfa7aacc3b80320d7d38d47591141d2", "content": "# GHSA-47QP-HQVX-6R3F: GHSA-47QP-HQVX-6R3F: Remote Memory Exhaustion (Denial of Service) in JLine3 Telnet Server\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-47QP-HQVX-6R3F\n\n## Summary\nAn unauthenticated remote memory exhaustion vulnerability in the JLine3 Telnet server allows attackers to crash the host Java Virtual Machine (JVM). The flaw exists in the processing of the NEW-ENVIRON option, where the server accepts an arbitrary number of environment variables without limits, storing them in an unconstrained HashMap. Sending as little as 3.25 MB of payload data can exhaust a standard JVM heap and trigger an OutOfMemoryError. This vulnerability affects applications integrating the remote-telnet module of JLine3.\n\n## TL;DR\nUnauthenticated remote attackers can crash the JLine3 Telnet server via memory exhaustion by transmitting unbounded NEW-ENVIRON variables during protocol negotiation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Base Score**: 7.5\n- **EPSS Score**: Not Available\n- **Impact**: Denial of Service / JVM Crash\n- **Exploit Status**: PoC (Proof of Concept)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications employing JLine3 Telnet server module (jline-remote-telnet)\n- **jline-remote-telnet**: < 4.2.1 (Fixed in: `4.2.1`)\n\n## Mitigation\n\n- Upgrade dependency 'org.jline:jline-remote-telnet' to version 4.2.1 or higher.\n- Restrict TCP access to the exposed Telnet port using firewalls or ACLs to prevent external interaction.\n- Disable the remote-telnet module if it is not actively required for operations.\n\n**Remediation Steps:**\n1. Identify applications containing 'org.jline:jline-remote-telnet' dependencies.\n2. Update Maven 'pom.xml' or Gradle configurations to declare JLine3 version 4.2.1 or newer.\n3. Verify the dependency tree to ensure transitive dependencies are updated.\n4. Apply firewall rules limiting Telnet access strictly to secure administrative networks.\n\n## References\n\n- [GitHub Advisory for GHSA-47QP-HQVX-6R3F](https://github.com/advisories/GHSA-47qp-hqvx-6r3f)\n- [Fix Commit in GitHub Repository](https://github.com/jline/jline3/commit/934f09e6128cee33c2b13d42b6e859c1ee2d194b)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-47QP-HQVX-6R3F) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T13:41:25.000000Z"}