ktor-bom-3.0.3.pom: 6 vulnerabilities (highest severity is: 7.5) #4
Description
Vulnerable Library - ktor-bom-3.0.3.pom
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (ktor-bom version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-24970 |  High |
7.5 | Not Defined | 0.2% | netty-handler-4.1.116.Final.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-25193 |  Medium |
5.5 | Not Defined | 0.1% | netty-common-4.1.116.Final.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-58057 | High |
7.5 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | N/A* | ❌ | |
| CVE-2025-58056 | High |
7.5 | Not Defined | 0.0% | netty-codec-http-4.1.116.Final.jar | Transitive | N/A* | ❌ | |
| CVE-2025-55163 | High |
7.5 | Not Defined | 0.1% | netty-codec-http2-4.1.116.Final.jar | Transitive | N/A* | ❌ | |
| CVE-2025-29904 | Medium |
5.3 | Not Defined | 0.0% | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-24970
Vulnerable Library - netty-handler-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- netty-codec-http2-4.1.116.Final.jar
- ❌ netty-handler-4.1.116.Final.jar (Vulnerable Library)
- netty-codec-http2-4.1.116.Final.jar
- ktor-server-netty-jvm-3.0.3.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-handler:4.1.118.Final
CVE-2025-25193
Vulnerable Library - netty-common-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- netty-transport-native-epoll-4.1.116.Final.jar
- ❌ netty-common-4.1.116.Final.jar (Vulnerable Library)
- netty-transport-native-epoll-4.1.116.Final.jar
- ktor-server-netty-jvm-3.0.3.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-common:4.1.118.Final
CVE-2025-58057
Vulnerable Libraries - netty-codec-4.1.116.Final.jar, netty-codec-http2-4.1.116.Final.jar, netty-codec-http-4.1.116.Final.jar
netty-codec-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.116.Final/cbe928f601e51a0b5750342b6dad5d35fa12f745/netty-codec-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- netty-codec-http2-4.1.116.Final.jar
- ❌ netty-codec-4.1.116.Final.jar (Vulnerable Library)
- netty-codec-http2-4.1.116.Final.jar
- ktor-server-netty-jvm-3.0.3.jar
netty-codec-http2-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.116.Final/5aefc3cf9ca7df764d0b15b9cb9b6e706a4a55b3/netty-codec-http2-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- ❌ netty-codec-http2-4.1.116.Final.jar (Vulnerable Library)
- ktor-server-netty-jvm-3.0.3.jar
netty-codec-http-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- netty-codec-http2-4.1.116.Final.jar
- ❌ netty-codec-http-4.1.116.Final.jar (Vulnerable Library)
- netty-codec-http2-4.1.116.Final.jar
- ktor-server-netty-jvm-3.0.3.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.2.4.Final and below, and netty-codec versions 4.1.124.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3p8m-j85q-pgmj
Release Date: 2025-09-03
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.5.Final
CVE-2025-58056
Vulnerable Library - netty-codec-http-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- netty-codec-http2-4.1.116.Final.jar
- ❌ netty-codec-http-4.1.116.Final.jar (Vulnerable Library)
- netty-codec-http2-4.1.116.Final.jar
- ktor-server-netty-jvm-3.0.3.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution: io.netty:netty-codec-http:4.1.125.Final
CVE-2025-55163
Vulnerable Library - netty-codec-http2-4.1.116.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.116.Final/5aefc3cf9ca7df764d0b15b9cb9b6e706a4a55b3/netty-codec-http2-4.1.116.Final.jar
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ktor-server-netty-jvm-3.0.3.jar
- ❌ netty-codec-http2-4.1.116.Final.jar (Vulnerable Library)
- ktor-server-netty-jvm-3.0.3.jar
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Publish Date: 2025-08-13
URL: CVE-2025-55163
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-prj3-ccx8-p6x4
Release Date: 2025-08-13
Fix Resolution: io.netty:netty-codec-http2:4.2.4.Final
CVE-2025-29904
Vulnerable Libraries - ktor-http-cio-3.0.3.jar, ktor-io-3.0.3.jar
ktor-http-cio-3.0.3.jar
Ktor is a framework for quickly creating web applications in Kotlin with minimal effort.
Library home page: https://github.com/ktorio/ktor
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.ktor/ktor-http-cio/3.0.3/fc585a96722b556103e2e661eb0528590cda9553/ktor-http-cio-3.0.3.pom
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ❌ ktor-http-cio-3.0.3.jar (Vulnerable Library)
ktor-io-3.0.3.jar
Ktor is a framework for quickly creating web applications in Kotlin with minimal effort.
Library home page: https://github.com/ktorio/ktor
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.ktor/ktor-io/3.0.3/3102f4ec154d37582ac4307c92ef50e6543339bc/ktor-io-3.0.3.pom
Dependency Hierarchy:
- ktor-bom-3.0.3.pom (Root Library)
- ❌ ktor-io-3.0.3.jar (Vulnerable Library)
Found in HEAD commit: 368abe5b510091318ccdf7157885f382a74089e7
Found in base branch: main
Vulnerability Details
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible
Publish Date: 2025-03-12
URL: CVE-2025-29904
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None