Netty 4.1.91-118.Final SslHandler Native Crash Vulnerability
CVE-2025-24970 Published on February 10, 2025

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Github Repository NVD

Vulnerability Analysis

CVE-2025-24970 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2025-24970

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-24970 are published in these products:

Oracle
 
Red Hat Kafka
 
Netty
 

Affected Versions

netty Version >= 4.1.91.Final, <= 4.1.117.Final is affected by CVE-2025-24970

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-24970

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-handler >= 4.1.91.Final, <= 4.1.117.Final 4.1.118.Final

Exploit Probability

EPSS
0.35%
Percentile
56.86%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.