Netty <=4.1.118.Final env file read DoS on Windows
CVE-2025-25193 Published on February 10, 2025

Denial of Service attack on windows app using Netty
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Github Repository NVD

Vulnerability Analysis

CVE-2025-25193 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-25193. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2025-25193 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2025-25193

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-25193 are published in these products:

Netty
 
Oracle
 
Red Hat Kafka
 

Affected Versions

netty Version <= 4.1.118 is affected by CVE-2025-25193

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-25193

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-common < 4.1.118.Final 4.1.118.Final

Exploit Probability

EPSS
0.06%
Percentile
19.67%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.