CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24970.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type: GIT
Repo: https://github.com/netty/netty
Events: Introduced

d773f37e3422b8bc38429bbde94583173c3b7e4a

Fixed

36f95cfaeed0c1313b21f1b5350c19436ae7fb45

Affected versions

netty-4.*

netty-4.1.100.Final

netty-4.1.101.Final

netty-4.1.102.Final

netty-4.1.103.Final

netty-4.1.104.Final

netty-4.1.105.Final

netty-4.1.106.Final

netty-4.1.107.Final

netty-4.1.108.Final

netty-4.1.109.Final

netty-4.1.110.Final

netty-4.1.111.Final

netty-4.1.112.Final

netty-4.1.113.Final

netty-4.1.114.Final

netty-4.1.115.Final

netty-4.1.116.Final

netty-4.1.117.Final

netty-4.1.91.Final

netty-4.1.92.Final

netty-4.1.93.Final

netty-4.1.94.Final

netty-4.1.95.Final

netty-4.1.96.Final

netty-4.1.97.Final

netty-4.1.98.Final

netty-4.1.99.Final

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24970.json"