Home

CVE-2025-58057

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.05

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in IBM Security Guardium 12.0Windows
Vulnerabilities CVE-2025-58057 are fixed in netty-codec 4.1.125Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1.0Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.0.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0Windows
Vulnerabilities CVE-2025-36299,CVE-2025-36357,CVE-2025-58056,CVE-2025-58057 are affected in IBM Planning Analytics Local 2.1.14Windows
Vulnerabilities CVE-2025-58056,CVE-2025-58057 are affected in IBM UrbanCode Deploy 7.1.2.26Windows
Vulnerabilities CVE-2025-58056,CVE-2025-58057 are affected in IBM UrbanCode Deploy 7.2.3.19Windows
Vulnerabilities CVE-2025-58056,CVE-2025-58057 are affected in IBM UrbanCode Deploy 7.3.2.14Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0.1Windows
Vulnerabilities CVE-2025-58057 are fixed in Netty - netty-codec-compression 4.2.5Windows
Vulnerabilities CVE-2025-58057 are fixed in netty-codec for Linux 4.1.125Linux
Vulnerabilities CVE-2025-58057 are fixed in Netty - netty-codec-compression for Linux 4.2.5Linux
Improper Handling of Highly Compressed Data (Data Amplification) Vulnerability (CVE-2025-58057)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234