Vulnerability DatabaseCVE-2025-24970
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-24970
February 10, 2025
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Affected Packages
io.netty:netty-handler (JAVA):
Affected version(s) >=4.1.91.Final <4.1.118.Final
Fix Suggestion:
Update to version 4.1.118.Final
Related ResourcesĀ (8)
https://github.com/netty/netty
https://nvd.nist.gov/vuln/detail/CVE-2025-24970
https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4
https://security.netapp.com/advisory/ntap-20250221-0005/
https://security.netapp.com/advisory/ntap-20250221-0005
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection
https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Input Validation
CWE-20
EPSS
Base Score:
0.3