CVE-2025-58057 is a medium-severity vulnerability affecting Netty, an asynchronous event-driven network application framework. The vulnerability arises in the BrotliDecoder and certain other decompression decoders within netty-codec-compression versions 4.1.124.Final and below, as well as netty-codec versions 4.2.4.Final and below. When these components are supplied with specially crafted input, they can allocate a large number of reachable byte buffers, potentially leading to denial of service.
The issue is due to the BrotliDecoder.decompress method, which lacks a limit on how often it calls pull, decompressing data 64K bytes at a time. The allocated buffers remain reachable until an out-of-memory (OOM) condition is hit, thereby risking service availability. This vulnerability has been addressed in netty-codec version 4.1.125.Final and netty-codec-compression version 4.2.5.Final.
Organizations using affected versions of Netty should take immediate action. The CVSS score of 6.9 indicates a medium level of severity, and the potential impact on service availability can be significant. Therefore, organizations should prioritize patching to mitigate the risk.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)