Headline
GHSA-4g8c-wm8x-jfhw: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Impact
When a special crafted packet is received via SslHandler it doesn’t correctly handle validation of such a packet in all cases which can lead to a native crash.
Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
SslContext context = ...;
SslHandler handler = context.newHandler(....);
to:
SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-24970
SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine
High severity GitHub Reviewed Published Feb 10, 2025 in netty/netty
Package
maven io.netty:netty-handler (Maven)
Affected versions
>= 4.1.91.Final, <= 4.1.117.Final
Patched versions
4.1.118.Final
Impact
When a special crafted packet is received via SslHandler it doesn’t correctly handle validation of such a packet in all cases which can lead to a native crash.
Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
SslContext context = ...;
SslHandler handler = context.newHandler(....);
to:
SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);
References
- GHSA-4g8c-wm8x-jfhw
- netty/netty@87f4072
Published to the GitHub Advisory Database
Feb 10, 2025