HIGH 7.5 Maven
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
GHSA-4g8c-wm8x-jfhw · CVE-2025-24970
Published · Modified
Description
Impact
When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.
Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
SslContext context = ...;
SslHandler handler = context.newHandler(....);
to:
SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);
References
- WEB https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-24970
- WEB https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4
- PACKAGE https://github.com/netty/netty
- WEB https://security.netapp.com/advisory/ntap-20250221-0005
- WEB https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection
- WEB https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation
Ready to move
Start Securing
Free, no credit card | First findings in minutes