Opentok-Java-SDK icon indicating copy to clipboard operation
Opentok-Java-SDK copied to clipboard

Published 20 hours ago verified publisher icon opentok

netty-codec-http-4.1.116.Final.jar: 1 vulnerabilities (highest severity is: 5.5)

Open mend-for-github-com[bot] opened this issue 9 months ago • 0 comments
trafficstars

Vulnerable Library - netty-codec-http-4.1.116.Final.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar

Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (netty-codec-http version) Remediation Possible** Reachability
CVE-2025-25193 Medium 5.5 Not Defined 0.0% netty-common-4.1.116.Final.jar Transitive 4.1.118.Final

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-25193

Vulnerable Library - netty-common-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar

Dependency Hierarchy:

  • netty-codec-http-4.1.116.Final.jar (Root Library)
    • :x: netty-common-4.1.116.Final.jar (Vulnerable Library)

Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42

Found in base branch: main

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Publish Date: 2025-02-10

URL: CVE-2025-25193

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx

Release Date: 2025-02-10

Fix Resolution (io.netty:netty-common): 4.1.118.Final

Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.118.Final

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Feb 11 '25 12:02 mend-for-github-com[bot]