CVE-2025-58057 unbounded memory allocation in Netty's BrotliDecoder allows OOM via zip-bomb

[Copilot]

CVE-2025-58057 (CVSS 7.5) — unbounded memory allocation in Netty's BrotliDecoder allows OOM via zip-bomb. Affects netty-codec/netty-codec-compression ≤ 4.1.124.Final. OpenDJ doesn't use Netty directly but may inherit a vulnerable version transitively through the org.openidentityplatform.commons:parent BOM (3.1.0).

Change

Added io.netty:netty-bom:4.1.125.Final as a BOM import in <dependencyManagement> in the root pom.xml, placed after the commons parent import so it takes precedence:

<!-- Fix CVE-2025-58057: Override transitive Netty to patched version -->
<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-bom</artifactId>
    <version>4.1.125.Final</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

BOM imports don't support <exclusions>, so a version-override via a later BOM import is the standard Maven approach. Any transitive Netty artifact will now resolve to the patched 4.1.125.Final.

Original prompt

Problem

CVE-2025-58057 is a high-severity (CVSS 7.5) denial-of-service vulnerability in Netty's BrotliDecoder (netty-codec-compression ≤ 4.1.124.Final, netty-codec ≤ 4.2.4.Final). The decoder has no upper limit for memory allocation during decompression, allowing an attacker to trigger OOM via a zip-bomb style attack.

OpenDJ does NOT use Netty directly — it uses Grizzly (org.glassfish.grizzly) as its network transport. However, Netty may be pulled in as a transitive dependency through the org.openidentityplatform.commons:parent BOM (version 3.1.0) imported in the root pom.xml.

Solution

Exclude all transitive io.netty dependencies from the commons parent BOM import in the root pom.xml, since OpenDJ does not use Netty at all.

In the root pom.xml, within the <dependencyManagement> section, find the existing commons parent import:

<dependency>
    <groupId>org.openidentityplatform.commons</groupId>
    <artifactId>parent</artifactId>
    <version>${commons.version}</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

Since BOM imports (<scope>import</scope>) do not support <exclusions>, the correct approach is to override the Netty versions by adding explicit <dependency> entries in the <dependencyManagement> section that pin Netty artifacts to a fixed version 4.1.125.Final (the patched version). Add these entries after the commons parent import:

<!-- Fix CVE-2025-58057: Override transitive Netty to patched version -->
<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-bom</artifactId>
    <version>4.1.125.Final</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

This ensures that if any transitive dependency pulls in Netty, the patched version 4.1.125.Final will be used instead of the vulnerable one.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-58057
• GHSA-3p8m-j85q-pgmj

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: предложи исправление CVE-2025-58057

Assistant: Давайте проверим, есть ли зависимость от Netty в проекте.

Assistant: На основе проведённого анализа, CVE-2025-58057 не применима напрямую к репозиторию OpenIdentityPlatform/OpenDJ. Вот почему:

Анализ CVE-2025-58057

CVE-2025-58057 — это уязвимость в Netty (netty-codec-compression / netty-codec), связанная с BrotliDecoder, который не ограничивает объём выделяемой памяти при декомпрессии, что позволяет атакующему вызвать OOM (отказ в обслуживании) через zip-bomb атаку.

• Затронуты: netty-codec-compression ≤ 4.1.124.Final, netty-codec ≤ 4.2.4.Final
• CVSS: 7.5 (High)

Почему OpenDJ не затронут напрямую

OpenDJ использует Grizzly (org.glassfish.grizzly:grizzly-framework) в качестве сетевого транспорта, а не Netty. В проекте:

• Нет прямых зависимостей на io.netty
• Нет импортов Netty-классов в исходном коде
• Сетевой стек построен на org.glassfish.grizzly

Что проверить

Однако Netty может попасть как транзитивная зависимость через org.openidentityplatform.commons (версия 3.1.0). Рекомендую:

1. Проверить транзитивные зависимости:

   mvn dependency:tree -Dincludes=io.netty

2. Если Netty обнаружен транзитивно, исправление — добавить в корневой pom.xml в секцию <dependencyManagement>:

   <!-- Fix CVE-2025-58057: Netty BrotliDecoder OOM -->
   <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec</artifactId>
       <version>4.1.125.Final</version>
   </dependency>
   <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http</artifactId>
       <version>4.1.125.Final</version>
   </dependency>
   <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http2</artifactId>
       <version>4.1.125.Final</version>
   </dependency>

3. Альтернативно — исключить Netty, если он не используется:

   <exclusion>
       <groupId>io.netty</groupId>
       <artifactId>*</artifactId>
   </exclusion>

Хотите, чтобы я создал PR с этим исправлением?

User: создай PR Альтернативно — исключить Netty

Assistant: I've started creating the pull request in OpenIdentityPlatform/OpenDJ. The coding agent is now working on the fix — it will override the transitive Netty dependency to the patched version 4.1.125.Final via the netty-bom in the root pom.xml's <dependencyManagement> section. You'll receive a notification once the PR is ready for review.

This pull request was created from Copilot chat.