CVE
GHSA-4g8c-wm8x-jfhw
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Impact
When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.
Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
SslContext context = ...;
SslHandler handler = context.newHandler(....);to:
SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);Package Versions Affected
Package Version
patch Availability
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Related Resources
No items found.
References
https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw, https://nvd.nist.gov/vuln/detail/CVE-2025-24970, https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4, https://github.com/netty/netty, https://security.netapp.com/advisory/ntap-20250221-0005, https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection, https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation
Basic Information
Ecosystem
