CVE-2025-24970

CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Published Feb 11, 2025

https://github.com/advisories/GHSA-4g8c-wm8x-jfhw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.yml https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-4g8c-wm8x-jfhw.json https://www.oracle.com/security-alerts/cpuapr2025.html https://www.oracle.com/security-alerts/cpujul2025.html

CVSS ScoreHigh

7.5

Vulnerabilities

CVE-2025-24970

Published Feb 11, 2025

CVSS ScoreHigh

7.5

CVE-2025-24970 Security Details

CVE ID: CVE-2025-24970
CWE: CWE-20
NVD-CWE-noinfo
CVE Description: Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Published: Feb 11, 2025
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.953%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: io/netty/handler/ssl/ReferenceCountedOpenSslEngine.unwrap([Ljava/nio/ByteBuffer;II[Ljava/nio/ByteBuffer;II)Ljavax/net/ssl/SSLEngineResult;
JVM
io/netty/handler/ssl/SslUtils.getEncryptedPacketLength(Ljava/nio/ByteBuffer;)I
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/advisories/GHSA-4g8c-wm8x-jfhwTHIRD_PARTY
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.ymlTHIRD_PARTY
https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-4g8c-wm8x-jfhw.jsonTHIRD_PARTY
https://www.oracle.com/security-alerts/cpuapr2025.htmlTHIRD_PARTY
https://www.oracle.com/security-alerts/cpujul2025.htmlTHIRD_PARTY

CVE-2025-24970 Security Details

CVE ID: CVE-2025-24970
CWE: CWE-20
NVD-CWE-noinfo
CVE Description: Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Published: Feb 11, 2025
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.953%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: io/netty/handler/ssl/ReferenceCountedOpenSslEngine.unwrap([Ljava/nio/ByteBuffer;II[Ljava/nio/ByteBuffer;II)Ljavax/net/ssl/SSLEngineResult;
JVM
io/netty/handler/ssl/SslUtils.getEncryptedPacketLength(Ljava/nio/ByteBuffer;)I
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/advisories/GHSA-4g8c-wm8x-jfhwTHIRD_PARTY
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.ymlTHIRD_PARTY
https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-4g8c-wm8x-jfhw.jsonTHIRD_PARTY
https://www.oracle.com/security-alerts/cpuapr2025.htmlTHIRD_PARTY
https://www.oracle.com/security-alerts/cpujul2025.htmlTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2025-24970

CVE-2025-24970 Security Details

CVE-2025-24970 Security Details