CVE-2025-25193
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-25193
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-25193.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-25193
- Aliases
- Downstream
- Related
- Published
- 2025-02-10T22:02:17Z
- Modified
- 2025-10-20T20:30:38.835494Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Denial of Service attack on windows app using Netty
- Details
-
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
- Database specific
{ "cwe_ids": [ "CWE-400" ] }- References
Affected packages
Git / github.com/netty/netty
Affected ranges
- Type
- GIT
- Repo
- https://github.com/netty/netty
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
netty-4.*
netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.100.Final
netty-4.1.101.Final
netty-4.1.102.Final
netty-4.1.103.Final
netty-4.1.104.Final
netty-4.1.105.Final
netty-4.1.106.Final
netty-4.1.107.Final
netty-4.1.108.Final
netty-4.1.109.Final
netty-4.1.11.Final
netty-4.1.110.Final
netty-4.1.111.Final
netty-4.1.112.Final
netty-4.1.113.Final
netty-4.1.114.Final
netty-4.1.115.Final
netty-4.1.116.Final
netty-4.1.117.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.61.Final
netty-4.1.62.Final
netty-4.1.63.Final
netty-4.1.64.Final
netty-4.1.65.Final
netty-4.1.66.Final
netty-4.1.67.Final
netty-4.1.68.Final
netty-4.1.69.Final
netty-4.1.7.Final
netty-4.1.70.Final
netty-4.1.71.Final
netty-4.1.72.Final
netty-4.1.73.Final
netty-4.1.74.Final
netty-4.1.75.Final
netty-4.1.76.Final
netty-4.1.77.Final
netty-4.1.78.Final
netty-4.1.79.Final
netty-4.1.8.Final
netty-4.1.80.Final
netty-4.1.81.Final
netty-4.1.82.Final
netty-4.1.83.Final
netty-4.1.84.Final
netty-4.1.85.Final
netty-4.1.86.Final
netty-4.1.87.Final
netty-4.1.88.Final
netty-4.1.89.Final
netty-4.1.9.Final
netty-4.1.90.Final
netty-4.1.91.Final
netty-4.1.92.Final
netty-4.1.93.Final
netty-4.1.94.Final
netty-4.1.95.Final
netty-4.1.96.Final
netty-4.1.97.Final
netty-4.1.98.Final
netty-4.1.99.Final
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2025-25193-36ad3644",
"signature_version": "v1",
"digest": {
"length": 151.0,
"function_hash": "83647819642280477915450784459448806461"
},
"target": {
"function": "read",
"file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Function",
"id": "CVE-2025-25193-3f260ffb",
"signature_version": "v1",
"digest": {
"length": 92.0,
"function_hash": "168617005726589462721307676983524610701"
},
"target": {
"function": "execute",
"file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Line",
"id": "CVE-2025-25193-628ffffd",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"299244551225250681155776504421826349006",
"68939909125888399065484821057850571489",
"175650336027892865504475120395443556993",
"106648783497185306098499743441929874076",
"327200754290988918737224088359121103962",
"306624256757665377409321781415100641281",
"222406759116183088074797538948691095398",
"260980537500418989250141064528987673473",
"125174575118845052950993425847714721076",
"29816401938652407754427455272639905702",
"285987676804747932549445828766632939836",
"1212372605309263313782091003189530703",
"274740517290592116662086250749447971082",
"144964689514694557084965228788470286409",
"321928690272036970462275196119712997606",
"197290867375039890012282792411698053167",
"205464533724490850436876508627948695481",
"322593765506540972060864915438479497999",
"335448623471065417474748602210222732801",
"169218711555851475391458368013339090457",
"16448393380925219897194594573009005752",
"228387397411614740557008226799734865978",
"73374006175760201187156783272203927740",
"186215996591008145257665082429905946374"
]
},
"target": {
"file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Line",
"id": "CVE-2025-25193-8958bd75",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147541144774636074246653473288858570283",
"140057386921348324997108146808344683996",
"310525791674863766648706160937942619980",
"24979872839336321857116091897167762897",
"159682366236831434344184392593205767980",
"195114723270315247636250395743516745536",
"70914908994207241436854675794303270904",
"83540472697459811106806614955527734573",
"173151000428750331641299410702155599493",
"265661924479601061976737966055504879884",
"158481143774103710565566936536776962006",
"273871888615051756096655234496936525405",
"195114723270315247636250395743516745536",
"158691056368219691852123385471367975944"
]
},
"target": {
"file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Function",
"id": "CVE-2025-25193-d1b4670c",
"signature_version": "v1",
"digest": {
"length": 433.0,
"function_hash": "163578465218010026851996761540428649398"
},
"target": {
"function": "testBoundEnforced",
"file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Function",
"id": "CVE-2025-25193-ee808a7d",
"signature_version": "v1",
"digest": {
"length": 354.0,
"function_hash": "230996555327220870387906718605658306393"
},
"target": {
"function": "testBigReadsPermittedIfUnderlyingStreamIsSmall",
"file": "common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"signature_type": "Function",
"id": "CVE-2025-25193-fc8de13c",
"signature_version": "v1",
"digest": {
"length": 284.0,
"function_hash": "42396086897291553879275097650676657862"
},
"target": {
"function": "read",
"file": "common/src/main/java/io/netty/util/internal/BoundedInputStream.java"
},
"deprecated": false,
"source": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
}
]