CVE-2025-24970
Published: 10 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-24970 is a vulnerability in Netty, an asynchronous, event-driven network application framework for Java. It affects versions starting from 4.1.91.Final up to but not including 4.1.118.Final. The issue occurs in the SslHandler component, where a specially crafted packet is not correctly validated in all cases, leading to a native crash. This is classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By sending a specially crafted packet to a service using the vulnerable SslHandler, an attacker can trigger a native crash, resulting in denial-of-service through high availability impact, while confidentiality and integrity remain unaffected.
Mitigation is available in Netty version 4.1.118.Final, which includes a patch. As workarounds, organizations can disable the use of the native SSLEngine or manually modify the code. Detailed patch information is in the GitHub commit (87f40725155b2f89adfde68c7732f97c153676c4) and security advisory (GHSA-4g8c-wm8x-jfhw), with additional guidance from NetApp advisory ntap-20250221-0005 and Vicarius resources on detection and mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote exploitation of improper input validation in SslHandler to trigger a native crash, directly facilitating application or system exploitation for denial of service (T1499.004).