android-test-plugin-result-listener-gradle-31.9.1.jar: 10 vulnerabilities (highest severity is: 7.5) #86
Description
Vulnerable Library - android-test-plugin-result-listener-gradle-31.9.1.jar
Path to dependency file: /samples/segment-destination-example/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (android-test-plugin-result-listener-gradle version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-24970 |  High |
7.5 | netty-handler-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2025-58057 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-55163 | High |
7.5 | netty-codec-http2-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2023-44487 | High |
7.5 | netty-codec-http2-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2025-58056 | High |
7.5 | netty-codec-http-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2023-4586 | High |
7.4 | netty-handler-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2023-34462 |  Medium |
6.5 | netty-handler-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2024-47535 | Medium |
5.5 | netty-common-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2025-25193 | Medium |
5.5 | netty-common-4.1.93.Final.jar | Transitive | N/A* | ❌ |
| CVE-2024-29025 | Medium |
5.3 | netty-codec-http-4.1.93.Final.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-24970
Vulnerable Library - netty-handler-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- netty-codec-http-4.1.93.Final.jar
- ❌ netty-handler-4.1.93.Final.jar (Vulnerable Library)
- netty-codec-http-4.1.93.Final.jar
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-handler:4.1.118.Final
CVE-2025-58057
Vulnerable Libraries - netty-codec-http-4.1.93.Final.jar, netty-codec-4.1.93.Final.jar, netty-codec-http2-4.1.93.Final.jar
netty-codec-http-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /samples/segment-destination-example/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-codec-http-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
netty-codec-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.93.Final/503badb458b6586632be8d1f81aa4e5ab99a80fc/netty-codec-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.93.Final/503badb458b6586632be8d1f81aa4e5ab99a80fc/netty-codec-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-codec-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
netty-codec-http2-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- ❌ netty-codec-http2-4.1.93.Final.jar (Vulnerable Library)
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.2.4.Final and below, and netty-codec versions 4.1.124.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: netty/netty@9d804c5
Release Date: 2025-09-03
Fix Resolution: io.netty:netty-all:4.1.125.Final,io.netty:netty-codec-http:4.1.125.Final,io.netty:netty-codec-http2:4.2.5.Final,https://github.com/netty/netty.git - netty-4.1.125.Final,io.netty:netty-codec-http:4.2.5.Final,io.netty:netty-codec-compression:4.2.5.Final,io.netty:netty-all:4.2.5.Final,io.netty:netty-codec-http2:4.1.125.Final,io.netty:netty-codec:4.1.125.Final,https://github.com/netty/netty.git - netty-4.2.5.Final
CVE-2025-55163
Vulnerable Library - netty-codec-http2-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- ❌ netty-codec-http2-4.1.93.Final.jar (Vulnerable Library)
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Publish Date: 2025-08-13
URL: CVE-2025-55163
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: netty/netty@86f5b88
Release Date: 2025-08-13
Fix Resolution: https://github.com/netty/netty.git - 4.2.4.Final,https://github.com/netty/netty.git - netty-4.1.124.Final,io.netty:netty-codec-http2:4.1.124.Final,io.netty:netty-codec-http2:4.2.4.Final
CVE-2023-44487
Vulnerable Library - netty-codec-http2-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- ❌ netty-codec-http2-4.1.93.Final.jar (Vulnerable Library)
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
CVE-2025-58056
Vulnerable Library - netty-codec-http-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /samples/segment-destination-example/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-codec-http-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Publish Date: 2025-09-03
URL: CVE-2025-58056
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: netty/netty@edb55fd
Release Date: 2025-09-03
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.5.Final,https://github.com/netty/netty.git - netty-4.1.125.Final,io.netty:netty-codec-http:4.2.5.Final,io.netty:netty-codec-http:4.1.125.Final
CVE-2023-4586
Vulnerable Library - netty-handler-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- netty-codec-http-4.1.93.Final.jar
- ❌ netty-handler-4.1.93.Final.jar (Vulnerable Library)
- netty-codec-http-4.1.93.Final.jar
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
Publish Date: 2023-10-04
URL: CVE-2023-4586
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: infinispan/infinispan@c5d945b
Release Date: 2023-10-04
Fix Resolution: org.infinispan:infinispan-client-hotrod:14.0.18.Final, org.infinispan:infinispan-client-hotrod-jakarta:14.0.18.Final
CVE-2023-34462
Vulnerable Library - netty-handler-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.93.Final/10f7ed9d8e1bfcba416074c70e5388be96116bfc/netty-handler-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- netty-codec-http-4.1.93.Final.jar
- ❌ netty-handler-4.1.93.Final.jar (Vulnerable Library)
- netty-codec-http-4.1.93.Final.jar
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The "SniHandler" can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the "SniHandler" to allocate 16MB of heap. The "SniHandler" class is a handler that waits for the TLS handshake to configure a "SslHandler" according to the indicated server name by the "ClientHello" record. For this matter it allocates a "ByteBuf" using the value defined in the "ClientHello" record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the "SslClientHelloHandler". This vulnerability has been fixed in version 4.1.94.Final.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-22
URL: CVE-2023-34462
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6mjq-h674-j845
Release Date: 2023-06-22
Fix Resolution: io.netty:netty-handler:4.1.94.Final;io.netty:netty-all:4.1.94.Final
CVE-2024-47535
Vulnerable Library - netty-common-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.93.Final/1cfc49b91b0d3ddb30c9f7d8467e5d02ae8babdf/netty-common-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.93.Final/1cfc49b91b0d3ddb30c9f7d8467e5d02ae8babdf/netty-common-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-common-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution: io.netty:netty-common:4.1.115.Final
CVE-2025-25193
Vulnerable Library - netty-common-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /segment-appcues/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.93.Final/1cfc49b91b0d3ddb30c9f7d8467e5d02ae8babdf/netty-common-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.93.Final/1cfc49b91b0d3ddb30c9f7d8467e5d02ae8babdf/netty-common-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-common-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-common:4.1.118.Final
CVE-2024-29025
Vulnerable Library - netty-codec-http-4.1.93.Final.jar
Library home page: https://netty.io/
Path to dependency file: /samples/segment-destination-example/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.93.Final/36acf0c94d03eb6ecef78a749a32cbb7dc0c57b4/netty-codec-http-4.1.93.Final.jar
Dependency Hierarchy:
- android-test-plugin-result-listener-gradle-31.9.1.jar (Root Library)
- grpc-netty-1.57.2.jar
- netty-handler-proxy-4.1.93.Final.jar
- ❌ netty-codec-http-4.1.93.Final.jar (Vulnerable Library)
- netty-handler-proxy-4.1.93.Final.jar
- grpc-netty-1.57.2.jar
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The "HttpPostRequestDecoder" can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the "bodyListHttpData" list. The decoder cumulates bytes in the "undecodedChunk" buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-03-25
URL: CVE-2024-29025
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025
Release Date: 2024-03-25
Fix Resolution: io.netty:netty-codec-http:4.1.108.Final