CVE-2025-25193

Aliases:GHSA-389x-839f-4rhx

Advisory lineage Upstream: 0 Downstream: 8

Downstream

OPENSUSE-SU-2025:14765-1 RHSA-2025:3357 RHSA-2025:3465 RHSA-2025:4548 RHSA-2025:4549 RHSA-2025:4550

Analyzed

Published: 10 Feb 2025, 22:02

Last modified:21 Feb 2025, 18:03

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.1% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Feb 2025, 22:02

Published

Vulnerability first disclosed

21 Feb 2025, 18:03

Last Modified

Vulnerability information updated

Description

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.10%• Percentile: 26%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

io.netty•netty-common
< 4.1.118.Final
netty•netty
≤ 4.1.118 | < 4.1.118