CVE-2025-58057

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-58057
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58057.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-58057
Aliases
Downstream
Related
Published
2025-09-04T10:42:32Z
Modified
2025-09-04T22:47:47.985683Z
Summary
[none]
Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

References

Affected packages

Debian:11 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4
1:4.1.48-4+deb11u1
1:4.1.48-4+deb11u2
1:4.1.48-5
1:4.1.48-6
1:4.1.48-7
1:4.1.48-8
1:4.1.48-9
1:4.1.48-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7
1:4.1.48-7+deb12u1
1:4.1.48-8
1:4.1.48-9
1:4.1.48-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}