Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist.
If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.
Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Netty Netty
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
|
— |
4.1.118
|
|
Microsoft Windows
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
|
— | — |
References 3
https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386
security-advisories@github.com
https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx
security-advisories@github.com
https://security.netapp.com/advisory/ntap-20250221-0006/
af854a3a-2127-422b-91ae-364da2661108