CVE-2025-24970
HIGH7.5EPSS 0.95%SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Published: 2/10/2025Modified: 2/4/2026
Description
### Impact When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. ### Workarounds As workaround its possible to either disable the usage of the native SSLEngine or changing the code from: ``` SslContext context = ...; SslHandler handler = context.newHandler(....); ``` to: ``` SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); ```
Affected packages (1)
- Maven/io.netty:netty-handler>= 4.1.91.Final, < 4.1.118.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-24970
- PATCHhttps://github.com/netty/netty
- WEBhttps://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4
- WEBhttps://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
- WEBhttps://security.netapp.com/advisory/ntap-20250221-0005
- WEBhttps://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection
- WEBhttps://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation