**Name of the Vulnerable Software and Affected Versions**

Netty versions 4.1.124.Final and below

Netty versions 4.2.4.Final and below

**Description**

Netty is an asynchronous event-driven network application framework. Certain decompression decoders, including `BrotliDecoder`, can allocate a large number of byte buffers when provided with specially crafted input, potentially leading to a denial of service. The `decompress` function within `BrotliDecoder` repeatedly calls `pull`, decompressing data in 64KB chunks, and the resulting buffers remain reachable until an out-of-memory (OOM) error occurs.

**Recommendations**

Update to Netty version 4.1.125.Final or later.

Update to Netty version 4.2.5.Final or later.