CVE-2025-58057

CVSS v2.0

7.8

High

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Netty versions 4.1.124.Final and below Netty versions 4.2.4.Final and below

Description Netty is an asynchronous event-driven network application framework. Certain decompression decoders, including BrotliDecoder, can allocate a large number of byte buffers when provided with specially crafted input, potentially leading to a denial of service. The decompress function within BrotliDecoder repeatedly calls pull, decompressing data in 64KB chunks, and the resulting buffers remain reachable until an out-of-memory (OOM) error occurs.

Recommendations Update to Netty version 4.1.125.Final or later. Update to Netty version 4.2.5.Final or later.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-409

Related Identifiers

ALT-PU-2025-12309

ALT-PU-2025-13422

BDU:2025-12594

CLEANSTART-2026-GQ14179

CLEANSTART-2026-IA43044

CLEANSTART-2026-KM27583

CVE-2025-58057

ECHO-5B70-97C8-C749

GHSA-3P8M-J85Q-PGMJ

OPENSUSE-SU-2025:15520-1

SUSE-SU-2025:03114-1

SUSE-SU-2025_03114-1

USN-7918-1

Affected Products

Alt Linux

Debian

Linuxmint

Netty

Red Os

Suse

Ubuntu

CVE-2025-58057

Weakness Enumeration

Related Identifiers

Affected Products

References · 129