{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24970", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-29T15:18:03.210Z", "datePublished": "2025-02-10T21:57:28.730Z", "dateUpdated": "2025-02-21T18:03:37.212Z"}, "containers": {"cna": {"title": "SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"}, {"name": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": ">= 4.1.91.Final, <= 4.1.117.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T21:57:28.730Z"}, "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."}], "source": {"advisory": "GHSA-4g8c-wm8x-jfhw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T15:30:54.865019Z", "id": "CVE-2025-24970", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:31:38.061Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250221-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-21T18:03:37.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250221-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-21T18:03:37.212Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24970", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T15:30:54.865019Z"}}}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:31:00.242Z"}}], "cna": {"title": "SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine", "source": {"advisory": "GHSA-4g8c-wm8x-jfhw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": ">= 4.1.91.Final, <= 4.1.117.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "name": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4", "name": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T21:57:28.730Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24970", "state": "PUBLISHED", "dateUpdated": "2025-02-21T18:03:37.212Z", "dateReserved": "2025-01-29T15:18:03.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-10T21:57:28.730Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."}, {"lang": "es", "value": "Netty, un framework de aplicaci\u00f3n de red asincr\u00f3nico y controlado por eventos, tiene una vulnerabilidad a partir de la versi\u00f3n 4.1.91.Final y anteriores a la versi\u00f3n 4.1.118.Final. Cuando se recibe un paquete especialmente manipulado a trav\u00e9s de SslHandler, no se gestiona correctamente la validaci\u00f3n de dicho paquete en todos los casos, lo que puede provocar un bloqueo nativo. La versi\u00f3n 4.1.118.Final contiene un parche. Como workaround, es posible deshabilitar el uso de SSLEngine nativo o cambiar el c\u00f3digo manualmente. "}], "id": "CVE-2025-24970", "lastModified": "2025-02-21T18:15:36.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-10T22:15:38.057", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"}, {"source": "security-advisories@github.com", "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250221-0005/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "io.netty:netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine", "id": "2344787", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344787"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.", "A flaw was found in Netty's SslHandler. This vulnerability allows a native crash via a specially crafted packet that bypasses proper validation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-24970", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "io.netty/netty-handler", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "io.netty/netty-handler", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "io.netty/netty-handler", "product_name": "Red Hat build of Quarkus"}], "public_date": "2025-02-10T21:57:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24970\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24970\nhttps://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4\nhttps://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"], "statement": "This vulnerability in Netty's SslHandler is of important severity rather than moderate because it directly impacts the stability and reliability of applications using native SSLEngine. By sending a specially crafted packet, an attacker can trigger a native crash, leading to a complete process termination. Unlike typical moderate vulnerabilities that might cause limited disruptions or require specific conditions, this flaw can be exploited remotely to induce a Denial of Service (DoS), affecting high-availability systems and mission-critical services.", "threat_severity": "Important"}