Vulnerability DatabaseCVE-2025-58057
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-58057
September 03, 2025
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Affected Packages
https://github.com/netty/netty.git (GITHUB):
Affected version(s) >=netty-3.2.4.Final <netty-4.1.125.Final
Fix Suggestion:
Update to version netty-4.1.125.Final
https://github.com/netty/netty.git (GITHUB):
Affected version(s) >=netty-4.2.0.Alpha1 <netty-4.2.5.Final
Fix Suggestion:
Update to version netty-4.2.5.Final
io.netty:netty-all (JAVA):
Affected version(s) >=4.2.0.Alpha1 <4.2.5.Final
Fix Suggestion:
Update to version 4.2.5.Final
io.netty:netty-codec (JAVA):
Affected version(s) >=4.0.0.Alpha1 <4.1.125.Final
Fix Suggestion:
Update to version 4.1.125.Final
io.netty:netty-codec-http (JAVA):
Affected version(s) >=4.2.0.Alpha1 <4.2.5.Final
Fix Suggestion:
Update to version 4.2.5.Final
io.netty:netty-all (JAVA):
Affected version(s) >=4.0.0.Final <4.1.125.Final
Fix Suggestion:
Update to version 4.1.125.Final
io.netty:netty-codec-http (JAVA):
Affected version(s) >=4.0.0.Alpha1 <4.1.125.Final
Fix Suggestion:
Update to version 4.1.125.Final
io.netty:netty-codec-compression (JAVA):
Affected version(s) >=4.2.0.Alpha3 <4.2.5.Final
Fix Suggestion:
Update to version 4.2.5.Final
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.2.0.Alpha1 <4.2.5.Final
Fix Suggestion:
Update to version 4.2.5.Final
io.netty:netty-codec-http2 (JAVA):
Affected version(s) >=4.1.0.Beta4 <4.1.125.Final
Fix Suggestion:
Update to version 4.1.125.Final
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (5)
https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
https://github.com/netty/netty
https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
https://nvd.nist.gov/vuln/detail/CVE-2025-58057
https://security-tracker.debian.org/tracker/CVE-2025-58057
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Improper Handling of Highly Compressed Data (Data Amplification)
CWE-409
EPSS
Base Score:
0.06