CVE-2025-24970 HIGH

CVE-2025-24970: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Vendor Netty

Product netty

Weakness CWE-20 · Input validation

Published February 10, 2025

Last update April 16, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Key dates

02Disclosure timeline

February 10, 2025 CVE published

April 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24970 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2025-24970: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

01Description

02Disclosure timeline

03References

04Related CVE