{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25193", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.400Z", "datePublished": "2025-02-10T22:02:17.197Z", "dateUpdated": "2025-02-21T18:03:38.211Z"}, "containers": {"cna": {"title": "Denial of Service attack on windows app using Netty", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"}, {"name": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "<= 4.1.118", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T22:02:17.197Z"}, "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix."}], "source": {"advisory": "GHSA-389x-839f-4rhx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T15:22:08.933112Z", "id": "CVE-2025-25193", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:22:12.545Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250221-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-21T18:03:38.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250221-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-21T18:03:38.211Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25193", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T15:22:08.933112Z"}}}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:22:04.538Z"}}], "cna": {"title": "Denial of Service attack on windows app using Netty", "source": {"advisory": "GHSA-389x-839f-4rhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "<= 4.1.118"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx", "name": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386", "name": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T22:02:17.197Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25193", "state": "PUBLISHED", "dateUpdated": "2025-02-21T18:03:38.211Z", "dateReserved": "2025-02-03T19:30:53.400Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-10T22:02:17.197Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "A71F5AEF-CB1E-41D1-A0D8-804DCF674542", "versionEndExcluding": "4.1.118", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix."}, {"lang": "es", "value": "Netty, un framework de aplicaci\u00f3n de red asincr\u00f3nico y controlado por eventos, tiene una vulnerabilidad en las versiones hasta la 4.1.118.Final incluida. Una lectura no segura del archivo de entorno podr\u00eda causar una denegaci\u00f3n de servicio en Netty. Cuando se carga en una aplicaci\u00f3n de Windows, Netty intenta cargar un archivo que no existe. Si un atacante crea un archivo tan grande, la aplicaci\u00f3n Netty se bloquea. Anteriormente se inform\u00f3 de un problema similar como CVE-2024-47535. Este problema se solucion\u00f3, pero la soluci\u00f3n estaba incompleta porque los bytes nulos no se contabilizaban en el l\u00edmite de entrada. El commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contiene una soluci\u00f3n actualizada."}], "id": "CVE-2025-25193", "lastModified": "2025-03-26T13:14:32.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-10T22:15:38.450", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20250221-0006/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "netty-common", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3358", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "netty-common", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}], "bugzilla": {"description": "netty: Denial of Service attack on windows app using Netty", "id": "2344788", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344788"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.", "A flaw was found in Netty. An unsafe reading of the environment file could cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crash."], "mitigation": {"lang": "en:us", "value": "Currently, no mitigation is available for this vulnerability."}, "name": "CVE-2025-25193", "public_date": "2025-02-10T22:02:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25193\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25193\nhttps://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386\nhttps://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"], "statement": "This issue only affects Windows environments, therefore, this would affect an environment when running a supported Red Hat JBoss EAP 7 or 8, for example, if running on Windows.", "threat_severity": "Moderate"}