CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24970.json"
}

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type

GIT

Repo

https://github.com/netty/netty

Events

Introduced

d773f37e3422b8bc38429bbde94583173c3b7e4a

Fixed

36f95cfaeed0c1313b21f1b5350c19436ae7fb45

Fixed

87f40725155b2f89adfde68c7732f97c153676c4

Database specific

{
    "extracted_events": [
        {
            "introduced": "4.1.91"
        },
        {
            "fixed": "4.1.118"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"
}

Affected versions

netty-4.*

netty-4.1.100.Final

netty-4.1.101.Final

netty-4.1.102.Final

netty-4.1.103.Final

netty-4.1.104.Final

netty-4.1.105.Final

netty-4.1.106.Final

netty-4.1.107.Final

netty-4.1.108.Final

netty-4.1.109.Final

netty-4.1.110.Final

netty-4.1.111.Final

netty-4.1.112.Final

netty-4.1.113.Final

netty-4.1.114.Final

netty-4.1.115.Final

netty-4.1.116.Final

netty-4.1.117.Final

netty-4.1.91.Final

netty-4.1.92.Final

netty-4.1.93.Final

netty-4.1.94.Final

netty-4.1.95.Final

netty-4.1.96.Final

netty-4.1.97.Final

netty-4.1.98.Final

netty-4.1.99.Final

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24970.json"