CVE-2025-24970

About vulnerability

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn’t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Affected product:

Apache ActiveMQ , Apache Hadoop , Apache Kafka , Apache Lucene , Apache Spark , Eclipse Jetty , Netty , Spring , artemis , async-http-client , avro , aws-sdk-java , azure-sdk-for-java , cassandra-driver-core , cassandra-java-driver , couchbase-jvm-clients , cxf , elasticsearch , grpc-netty , infinispan , java-driver , lettuce , lettuce-core , logging-log4j2 , neo4j-java-driver , netty , pulsar , pulsar-client-all , rsocket-java , solr , tika , wildfly , zookeeper

Affected packages:

netty-handler @ 4.1.115.Final (+4208 more)

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn’t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.