CVE-2025-24970 – io.netty:netty-handler

Package

Manager: maven
Name: io.netty:netty-handler
Vulnerable Version: >=4.1.91.final <4.1.118.final

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00216 pctl0.4416

Details

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine ### Impact When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. ### Workarounds As workaround its possible to either disable the usage of the native SSLEngine or changing the code from: ``` SslContext context = ...; SslHandler handler = context.newHandler(....); ``` to: ``` SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); ```

Metadata

Created: 2025-02-10T17:38:10Z
Modified: 2025-04-16T19:30:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4g8c-wm8x-jfhw/GHSA-4g8c-wm8x-jfhw.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-4g8c-wm8x-jfhw
Finding: F184
Auto approve: 1