Description
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
References (5)
Core 5
Core References
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250221-0005/
Exploit, Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection
Exploit, Mitigation, Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation
Vendor Advisory x_refsource_confirm
https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
Patch x_refsource_misc
https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4
Scores
CVSS v3
7.5
EPSS
0.0095
EPSS Percentile
76.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (4)
io.netty/netty-handler
4.1.91.Final - 4.1.118.FinalMaven
netapp/active_iq_unified_manager
(3 CPE variants)
netapp/oncommand_insight
netty/netty
4.1.91 - 4.1.118
Published
Feb 10, 2025
Tracked Since
Feb 18, 2026