Search for packages
| purl | pkg:maven/io.netty/netty-common@4.1.116.Final |
| Next non-vulnerable version | 4.1.118.Final |
| Latest non-vulnerable version | 4.1.118.Final |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-c7cx-u73j-k7bx
Aliases: CVE-2025-25193 GHSA-389x-839f-4rhx |
Denial of Service attack on windows app using Netty ### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. ### Details A similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. ### PoC The PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00. When the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character. ### Impact Impact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T19:20:34.052371+00:00 | GitLab Importer | Affected by | VCID-c7cx-u73j-k7bx | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-common/CVE-2025-25193.yml | 37.0.0 |