CVE-2025-25193

10.02.2025, 22:15

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Vendor	Product	Version
netty	netty	𝑥 < 4.1.118

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

netty

bullseye (security)	1:4.1.48-4+deb11u2 fixed
bullseye	1:4.1.48-4+deb11u2 fixed
bookworm	1:4.1.48-7+deb12u1 fixed
bookworm (security)	1:4.1.48-7+deb12u1 fixed
sid	1:4.1.48-10 fixed
trixie	1:4.1.48-10 fixed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386

https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx

https://security.netapp.com/advisory/ntap-20250221-0006/

https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx