operatorfabric-core icon indicating copy to clipboard operation
operatorfabric-core copied to clipboard

Published 20 hours ago verified publisher icon opfab

CVE-2025-25193 (Medium) detected in netty-common-4.1.115.Final.jar

Open mend-bolt-for-github[bot] opened this issue 9 months ago • 0 comments

CVE-2025-25193 - Medium Severity Vulnerability

Vulnerable Library - netty-common-4.1.115.Final.jar

Library home page: https://netty.io/

Path to dependency file: /src/test/api/karate/karateTests.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.115.Final/9da10a9f72e3f87e181d91b525174007a6fc4f11/netty-common-4.1.115.Final.jar

Dependency Hierarchy:

  • karate-junit5-1.5.1.jar (Root Library)
    • karate-core-1.5.1.jar
      • armeria-1.31.3.jar
        • netty-handler-proxy-4.1.115.Final.jar
          • :x: netty-common-4.1.115.Final.jar (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Publish Date: 2025-02-10

URL: CVE-2025-25193

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx

Release Date: 2025-02-10

Fix Resolution: io.netty:netty-common:4.1.118.Final

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Feb 12 '25 07:02 mend-bolt-for-github[bot]