CVE-2025-25193

Name of the Vulnerable Software and Affected Versions Netty versions up to and including 4.1.118.Final

Description The issue is related to an unsafe reading of environment files, which could potentially cause a denial of service in Netty. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application may crash. A similar issue was previously reported, but the fix was incomplete, as null-bytes were not counted against the input limit. The vulnerability is related to the BufferedReader.readLine() function and the InputStreamReader, which can fill up the line-buffer with replacement characters when encountering null-bytes.

Recommendations For Netty versions up to and including 4.1.118.Final, consider updating to a version that includes the complete fix for this issue, as the current fix is incomplete. As a temporary workaround, consider restricting access to the vulnerable BufferedReader.readLine() function or the InputStreamReader to minimize the risk of exploitation. Additionally, avoid using the InputStreamReader with files that may contain null-bytes, as this can trigger the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.