GHSA-389x-839f-4rhx

Suggest an improvement
Source
https://github.com/advisories/GHSA-389x-839f-4rhx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-389x-839f-4rhx/GHSA-389x-839f-4rhx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-389x-839f-4rhx
Aliases
Related
Published
2025-02-10T18:14:47Z
Modified
2025-02-21T18:49:45.508065Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service attack on windows app using Netty
Details

Summary

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.

Details

A similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.

PoC

The PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00. When the null-bytes are encountered by the InputStreamReader, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the BufferedReader.readLine(), because the replacement character is not a line-break character.

Impact

Impact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv

Database specific 
{
    "nvd_published_at": "2025-02-10T22:15:38Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-10T18:14:47Z"
}
References

Affected packages

Maven / io.netty:netty-common

Package

Name
io.netty:netty-common
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.118.Final

Affected versions

4.*

4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8
4.0.0.Beta1
4.0.0.Beta2
4.0.0.Beta3
4.0.0.CR1
4.0.0.CR2
4.0.0.CR3
4.0.0.CR4
4.0.0.CR5
4.0.0.CR6
4.0.0.CR7
4.0.0.CR8
4.0.0.CR9
4.0.0.Final
4.0.1.Final
4.0.2.Final
4.0.3.Final
4.0.4.Final
4.0.5.Final
4.0.6.Final
4.0.7.Final
4.0.8.Final
4.0.9.Final
4.0.10.Final
4.0.11.Final
4.0.12.Final
4.0.13.Final
4.0.14.Beta1
4.0.14.Final
4.0.15.Final
4.0.16.Final
4.0.17.Final
4.0.18.Final
4.0.19.Final
4.0.20.Final
4.0.21.Final
4.0.22.Final
4.0.23.Final
4.0.24.Final
4.0.25.Final
4.0.26.Final
4.0.27.Final
4.0.28.Final
4.0.29.Final
4.0.30.Final
4.0.31.Final
4.0.32.Final
4.0.33.Final
4.0.34.Final
4.0.35.Final
4.0.36.Final
4.0.37.Final
4.0.38.Final
4.0.39.Final
4.0.40.Final
4.0.41.Final
4.0.42.Final
4.0.43.Final
4.0.44.Final
4.0.45.Final
4.0.46.Final
4.0.47.Final
4.0.48.Final
4.0.49.Final
4.0.50.Final
4.0.51.Final
4.0.52.Final
4.0.53.Final
4.0.54.Final
4.0.55.Final
4.0.56.Final
4.1.0.Beta1
4.1.0.Beta2
4.1.0.Beta3
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final