CVE-2025-58057
Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack
In short
Netty's BrotliDecoder can be crashed by a specially crafted compressed file that tricks it into creating too many memory buffers, similar to a zip bomb attack. This causes the application to run out of memory and stop working.
Technical detail
BrotliDecoder.decompress lacks bounds checking on decompression iterations, allocating 64KB buffers repeatedly without limit in the output list until OOM occurs. Affected versions: netty-codec-compression ≤4.1.124.Final and netty-codec ≤4.2.4.Final. Remote attacker can send malicious Brotli-compressed input to trigger denial of service.
Summary generated and translated by AI from the official description.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
netty · nettyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →