CVE-2025-58057
📋 TL;DR
A denial-of-service vulnerability in Netty's BrotliDecoder and other decompression decoders allows attackers to cause out-of-memory conditions by sending specially crafted input. This affects applications using vulnerable versions of netty-codec-compression or netty-codec for Brotli decompression. The vulnerability can be exploited remotely without authentication.
💻 Affected Systems
- Netty netty-codec-compression
- Netty netty-codec
📦 What is this software?
Netty by Netty
Netty by Netty
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to out-of-memory errors causing application crashes and potential cascading failures in dependent systems.
Likely Case
Degraded performance or service disruption for applications processing untrusted compressed data, particularly in high-throughput scenarios.
If Mitigated
Minimal impact with proper input validation, memory limits, and monitoring in place to detect abnormal memory consumption patterns.
🎯 Exploit Status
Exploitation requires sending specially crafted compressed data to vulnerable endpoints. No authentication needed if vulnerable endpoint is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: netty-codec-compression 4.1.125.Final, netty-codec 4.2.5.Final
Vendor Advisory: https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
Restart Required: Yes
Instructions:
1. Update Netty dependencies to patched versions. 2. For Maven: Update pom.xml with <version>4.1.125.Final</version> for netty-codec-compression or <version>4.2.5.Final</version> for netty-codec. 3. For Gradle: Update build.gradle with implementation 'io.netty:netty-codec-compression:4.1.125.Final' or implementation 'io.netty:netty-codec:4.2.5.Final'. 4. Rebuild and redeploy application.
🔧 Temporary Workarounds
Input validation and size limits
allImplement strict input validation and size limits on compressed data before passing to BrotliDecoder
Memory usage monitoring
allConfigure JVM memory monitoring and automatic restart thresholds to mitigate OOM impact
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/path/to/dumps
🧯 If You Can't Patch
- Implement network-level filtering to block or rate-limit compressed data to vulnerable endpoints
- Deploy Web Application Firewall (WAF) rules to detect and block malicious compressed payload patterns
🔍 How to Verify
Check if Vulnerable:
Check dependency manifest files (pom.xml, build.gradle, package.json) for vulnerable Netty versions. Use dependency scanning tools like OWASP Dependency-Check.Check Version:
For Maven: mvn dependency:tree | grep netty. For Gradle: gradle dependencies | grep netty. Runtime: java -cp your-app.jar io.netty.util.VersionVerify Fix Applied:
Verify updated dependency versions in build files and confirm application uses patched Netty JARs at runtime.📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError exceptions
- High memory consumption alerts
- Application crashes with heap dump generation
- Unusual decompression processing times
Network Indicators:
- Spikes in compressed data traffic to vulnerable endpoints
- Repeated connection attempts with compressed payloads
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND process="*netty*"