netty-codec-http-4.1.119.Final.jar: 2 vulnerabilities (highest severity is: 7.5) #284
Description
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (netty-codec-http version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-58057 |  High |
7.5 | Not Defined | 0.1% | detected in multiple dependencies | Direct | 4.1.125.Final | ✅ | |
| CVE-2025-58056 | High |
7.5 | Not Defined | 0.0% | netty-codec-http-4.1.119.Final.jar | Direct | 4.1.125.Final | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-58057
Vulnerable Libraries - netty-codec-http-4.1.119.Final.jar, netty-codec-4.1.119.Final.jar
netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-codec-http-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.2.4.Final and below, and netty-codec versions 4.1.124.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3p8m-j85q-pgmj
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58056
Vulnerable Library - netty-codec-http-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.119.Final/23196984df6083cc39bef22a54c6cf5b157f3824/netty-codec-http-4.1.119.Final.jar
Dependency Hierarchy:
- ❌ netty-codec-http-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution: 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.