VulnerableCode Package Details - pkg:maven/io.netty/netty-handler@4.1.99.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-56qx-e3h3-2kbr Aliases: CVE-2025-24970 GHSA-4g8c-wm8x-jfhw	SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine ### Impact When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. ### Workarounds As workaround its possible to either disable the usage of the native SSLEngine or changing the code from: ``` SslContext context = ...; SslHandler handler = context.newHandler(....); ``` to: ``` SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); ```	4.1.118.Final Affected by 0 other vulnerabilities.
VCID-tgq7-nuu5-j7da Aliases: CVE-2023-4586 GHSA-57m8-f3v5-hm5m	Withdrawn Advisory: Netty-handler does not validate host names by default ## Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned. In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-56qx-e3h3-2kbr
Aliases:
CVE-2025-24970
GHSA-4g8c-wm8x-jfhw

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine ### Impact When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. ### Workarounds As workaround its possible to either disable the usage of the native SSLEngine or changing the code from: ``` SslContext context = ...; SslHandler handler = context.newHandler(....); ``` to: ``` SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); ```

4.1.118.Final
Affected by 0 other vulnerabilities.

VCID-tgq7-nuu5-j7da
Aliases:
CVE-2023-4586
GHSA-57m8-f3v5-hm5m

Withdrawn Advisory: Netty-handler does not validate host names by default ## Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned. In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:20:35.310494+00:00	GitLab Importer	Affected by	VCID-56qx-e3h3-2kbr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.yml	37.0.0
2025-07-03T16:53:36.071573+00:00	GHSA Importer	Affected by	VCID-tgq7-nuu5-j7da	https://github.com/advisories/GHSA-57m8-f3v5-hm5m	37.0.0

2025-07-03T19:20:35.310494+00:00

GitLab Importer

Affected by

VCID-56qx-e3h3-2kbr

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-handler/CVE-2025-24970.yml

37.0.0

2025-07-03T16:53:36.071573+00:00

GHSA Importer

Affected by

VCID-tgq7-nuu5-j7da

https://github.com/advisories/GHSA-57m8-f3v5-hm5m

37.0.0

Next non-vulnerable version	4.1.118.Final
Latest non-vulnerable version	4.1.118.Final
Risk	4.0