CVE Tools
Sign in

CVE-2025-58057

Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

Published: Sep 3, 2025Updated: Sep 8, 2025 Sources: CVE List NVD GHSA BDUCWE-409
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.6%
Top 57.9%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-409

Affected Products

nettynetty
LibraryLibrary
OSS Libraries / generic-library
io.netty:netty-codec-compressionMavenOSS Libraries
io.netty:netty-codecMavenOSS Libraries
UbuntuCanonical Ltd.
On-premOS
Operating Systems / linux-distro
РЕД ОСООО «Ред Софт»
On-premOS
Operating Systems / linux-distro
nettyoss-projectOSS Librariesaka io.netty:netty, netty-incubator-codec-ohttp
mavenpackage-ecosystemOSS Libraries
canonical ltd.commercialGBOperating Systemsaka canonical
ооо «ред софт»commercialRUOperating Systemsaka red soft
and 6 more affected products View all →

Exploitability

Official Patch Available

References

https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
github.com
https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
github.com
https://nvd.nist.gov/vuln/detail/CVE-2025-58057
nvd.nist.gov
and 6 more references View all →

Timeline

Published
Sep 3, 2025
Last Updated
Sep 8, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-58057 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows