CVE-2025-25193

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-25193
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-25193.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-25193
Aliases
Downstream
Related
Published
2025-02-10T22:15:38Z
Modified
2025-09-19T15:22:53.661913Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

netty-4.*

netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.100.Final
netty-4.1.101.Final
netty-4.1.102.Final
netty-4.1.103.Final
netty-4.1.104.Final
netty-4.1.105.Final
netty-4.1.106.Final
netty-4.1.107.Final
netty-4.1.108.Final
netty-4.1.109.Final
netty-4.1.11.Final
netty-4.1.110.Final
netty-4.1.111.Final
netty-4.1.112.Final
netty-4.1.113.Final
netty-4.1.114.Final
netty-4.1.115.Final
netty-4.1.116.Final
netty-4.1.117.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.61.Final
netty-4.1.62.Final
netty-4.1.63.Final
netty-4.1.64.Final
netty-4.1.65.Final
netty-4.1.66.Final
netty-4.1.67.Final
netty-4.1.68.Final
netty-4.1.69.Final
netty-4.1.7.Final
netty-4.1.70.Final
netty-4.1.71.Final
netty-4.1.72.Final
netty-4.1.73.Final
netty-4.1.74.Final
netty-4.1.75.Final
netty-4.1.76.Final
netty-4.1.77.Final
netty-4.1.78.Final
netty-4.1.79.Final
netty-4.1.8.Final
netty-4.1.80.Final
netty-4.1.81.Final
netty-4.1.82.Final
netty-4.1.83.Final
netty-4.1.84.Final
netty-4.1.85.Final
netty-4.1.86.Final
netty-4.1.87.Final
netty-4.1.88.Final
netty-4.1.89.Final
netty-4.1.9.Final
netty-4.1.90.Final
netty-4.1.91.Final
netty-4.1.92.Final
netty-4.1.93.Final
netty-4.1.94.Final
netty-4.1.95.Final
netty-4.1.96.Final
netty-4.1.97.Final
netty-4.1.98.Final
netty-4.1.99.Final

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2025-25193-36ad3644",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java",
                "function": "read"
            },
            "signature_version": "v1",
            "digest": {
                "function_hash": "83647819642280477915450784459448806461",
                "length": 151.0
            }
        },
        {
            "id": "CVE-2025-25193-3f260ffb",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java",
                "function": "execute"
            },
            "signature_version": "v1",
            "digest": {
                "function_hash": "168617005726589462721307676983524610701",
                "length": 92.0
            }
        },
        {
            "id": "CVE-2025-25193-628ffffd",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "299244551225250681155776504421826349006",
                    "68939909125888399065484821057850571489",
                    "175650336027892865504475120395443556993",
                    "106648783497185306098499743441929874076",
                    "327200754290988918737224088359121103962",
                    "306624256757665377409321781415100641281",
                    "222406759116183088074797538948691095398",
                    "260980537500418989250141064528987673473",
                    "125174575118845052950993425847714721076",
                    "29816401938652407754427455272639905702",
                    "285987676804747932549445828766632939836",
                    "1212372605309263313782091003189530703",
                    "274740517290592116662086250749447971082",
                    "144964689514694557084965228788470286409",
                    "321928690272036970462275196119712997606",
                    "197290867375039890012282792411698053167",
                    "205464533724490850436876508627948695481",
                    "322593765506540972060864915438479497999",
                    "335448623471065417474748602210222732801",
                    "169218711555851475391458368013339090457",
                    "16448393380925219897194594573009005752",
                    "228387397411614740557008226799734865978",
                    "73374006175760201187156783272203927740",
                    "186215996591008145257665082429905946374"
                ],
                "threshold": 0.9
            }
        },
        {
            "id": "CVE-2025-25193-8958bd75",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "147541144774636074246653473288858570283",
                    "140057386921348324997108146808344683996",
                    "310525791674863766648706160937942619980",
                    "24979872839336321857116091897167762897",
                    "159682366236831434344184392593205767980",
                    "195114723270315247636250395743516745536",
                    "70914908994207241436854675794303270904",
                    "83540472697459811106806614955527734573",
                    "173151000428750331641299410702155599493",
                    "265661924479601061976737966055504879884",
                    "158481143774103710565566936536776962006",
                    "273871888615051756096655234496936525405",
                    "195114723270315247636250395743516745536",
                    "158691056368219691852123385471367975944"
                ],
                "threshold": 0.9
            }
        },
        {
            "id": "CVE-2025-25193-d1b4670c",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java",
                "function": "testBoundEnforced"
            },
            "signature_version": "v1",
            "digest": {
                "function_hash": "163578465218010026851996761540428649398",
                "length": 433.0
            }
        },
        {
            "id": "CVE-2025-25193-ee808a7d",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java",
                "function": "testBigReadsPermittedIfUnderlyingStreamIsSmall"
            },
            "signature_version": "v1",
            "digest": {
                "function_hash": "230996555327220870387906718605658306393",
                "length": 354.0
            }
        },
        {
            "id": "CVE-2025-25193-fc8de13c",
            "source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java",
                "function": "read"
            },
            "signature_version": "v1",
            "digest": {
                "function_hash": "42396086897291553879275097650676657862",
                "length": 284.0
            }
        }
    ]
}