Bug#1113994: netty: CVE-2025-58057
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 5 05:39:39 BST 2025
Source: netty
Version: 1:4.1.48-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for netty.
CVE-2025-58057[0]:
| Netty is an asynchronous event-driven network application framework
| for rapid development of maintainable high performance protocol
| servers & clients. In netty-codec-compression versions 4.1.124.Final
| and below, and netty-codec versions 4.2.4.Final and below, when
| supplied with specially crafted input, BrotliDecoder and certain
| other decompression decoders will allocate a large number of
| reachable byte buffers, which can lead to denial of service.
| BrotliDecoder.decompress has no limit in how often it calls pull,
| decompressing data 64K bytes at a time. The buffers are saved in the
| output list, and remain reachable until OOM is hit. This is fixed in
| versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-
| codec-compression.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58057
https://www.cve.org/CVERecord?id=CVE-2025-58057
[1] https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
[2] https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list