CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4	Patch
https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw	Vendor Advisory
https://security.netapp.com/advisory/ntap-20250221-0005/	Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection	Exploit Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation	Exploit Mitigation Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*

History

No history.

Information

Published : 2025-02-10 22:15

Updated : 2025-09-05 17:20

NVD link : CVE-2025-24970

Mitre link : CVE-2025-24970

CVE.ORG link : CVE-2025-24970

JSON object : View

Products Affected

netty

netty

netapp

active_iq_unified_manager
oncommand_insight

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2025-24970", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-02-10T22:15:38.057", "references": [{"url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20250221-0005/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."}, {"lang": "es", "value": "Netty, un framework de aplicaci\u00f3n de red asincr\u00f3nico y controlado por eventos, tiene una vulnerabilidad a partir de la versi\u00f3n 4.1.91.Final y anteriores a la versi\u00f3n 4.1.118.Final. Cuando se recibe un paquete especialmente manipulado a trav\u00e9s de SslHandler, no se gestiona correctamente la validaci\u00f3n de dicho paquete en todos los casos, lo que puede provocar un bloqueo nativo. La versi\u00f3n 4.1.118.Final contiene un parche. Como workaround, es posible deshabilitar el uso de SSLEngine nativo o cambiar el c\u00f3digo manualmente. "}], "lastModified": "2025-09-05T17:20:12.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFD13BDE-F4C1-4B4C-9E46-C4482F977174", "versionEndExcluding": "4.1.118", "versionStartIncluding": "4.1.91"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "vulnerable": true, "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE"}, {"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}