CVE-2025-24970

Name of the Vulnerable Software and Affected Versions Netty versions 4.1.91.Final through 4.1.117.Final

Description The vulnerability is related to the Netty framework, an asynchronous, event-driven network application framework. It occurs when a special crafted packet is received via SslHandler, which does not correctly handle validation of such a packet in all cases, leading to a native crash. This issue can be exploited by an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, but high impact to availability, and requires no user interaction.

Recommendations For Netty versions 4.1.91.Final through 4.1.117.Final, upgrade to version 4.1.118.Final or later. As a temporary workaround, consider disabling the usage of the native SSLEngine or change the code manually to correctly handle the validation of special crafted packets received via SslHandler. For Confluence Data Center and Server 8.5, upgrade to a release greater than or equal to 8.5.20. For Confluence Data Center and Server 9.2, upgrade to a release greater than or equal to 9.2.2. For Confluence Data Center and Server 9.3, upgrade to a release greater than or equal to 9.3.2. For Bamboo Data Center and Server 9.6, upgrade to a release greater than or equal to 9.6.11. For Bamboo Data Center and Server 10.2, upgrade to a release greater than or equal to 10.2.2.