Summary

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

CVE: CVE-2025-24970
CWE: CWE-20

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-24970?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-24970
• GHSA-4g8c-wm8x-jfhw
• https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.yml
• https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-4g8c-wm8x-jfhw.json