JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.
https://github.com/jline/jline3/security/advisories/GHSA-47qp-hqvx-6r3f
https://github.com/jline/jline3/releases/tag/jline-3.30.14
https://github.com/jline/jline3/releases/tag/4.2.1
https://github.com/jline/jline3/releases/tag/4.0.16
https://github.com/jline/jline3/pull/2001
https://github.com/jline/jline3/pull/2000
https://github.com/jline/jline3/commit/934f09e6128cee33c2b13d42b6e859c1ee2d194b
https://github.com/jline/jline3/commit/4ee3a73849ffb9a85ec748e4e8cd8f6d81f84f40
https://github.com/jline/jline3/commit/0389f0ee6d0375901b602671ad5dafd4d1d4ee09