Vulnerability Description
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | >= 4.1.91, < 4.1.118 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Insight | - |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4Patch
- https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhwVendor Advisory
- https://security.netapp.com/advisory/ntap-20250221-0005/Third Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detectExploitThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigaExploitMitigationThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhwVendor Advisory
FAQ
What is CVE-2025-24970?
CVE-2025-24970 is a vulnerability with a CVSS score of 7.5 (HIGH). Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received v...
How severe is CVE-2025-24970?
CVE-2025-24970 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-24970?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Netapp Active Iq Unified Manager, Netapp Oncommand Insight.