CVE-2025-58057
Denial of Service vulnerability in netty-codec-compression (Maven)
What is CVE-2025-58057 About?
This vulnerability exists in `BrotliDecoder` and other decompressing decoders, where specially crafted input can cause the allocation of a large number of reachable byte buffers. This leads to an out-of-memory error and a denial of service. The vulnerability is a form of zip bomb, making exploitation relatively straightforward for an attacker who can supply malicious compressed data.
Affected Software
- io.netty:netty-codec-compression
- >4.2.0.Alpha1, <4.2.5.Final
- io.netty:netty-codec
- <4.1.125.Final
Technical Details
The BrotliDecoder.decompress method, found in io.netty.handler.codec.compression, lacks proper limits on how often it calls the pull operation. This allows the decoder to continuously decompress data in 64KB chunks from a specially crafted malicious Brotli-compressed input. Each decompressed chunk leads to the allocation of new byte buffers without releasing previously allocated ones, accumulating them in an internal output list. As the decoding proceeds, these buffers remain reachable, consuming an ever-increasing amount of memory until the application hits an OutOfMemoryError, typically manifesting as a 'Cannot reserve direct buffer memory' exception. This effectively constitutes a zip bomb, as a small malicious input can exhaust significant memory resources, leading to a denial of service condition.
What is the Impact of CVE-2025-58057?
Successful exploitation may allow attackers to cause a denial of service, making the affected application or service unavailable to legitimate users.
What is the Exploitability of CVE-2025-58057?
Exploitation of this denial of service vulnerability is of low complexity. An attacker needs to provide a specially crafted Brotli-compressed input to any application utilizing BrotliDecoder (or other vulnerable decompressing decoders in the same context) that processes untrusted external input. No authentication or specific privileges are required beyond the ability to send this malicious input to the target application. This can typically be exploited remotely if the application exposes an interface that accepts Brotli-compressed data (e.g., HTTP requests with Brotli content encoding). The primary condition is that the application uses the vulnerable decoder to process attacker-controlled data. The risk of exploitation is high given the ease of triggering an OutOfMemoryError with a malicious payload, making it an efficient way to render a service unavailable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-58057?
Available Upgrade Options
- io.netty:netty-codec
- <4.1.125.Final → Upgrade to 4.1.125.Final
- io.netty:netty-codec-compression
- >4.2.0.Alpha1, <4.2.5.Final → Upgrade to 4.2.5.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-58057
- https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
- https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
- https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
- https://github.com/netty/netty
- https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
- https://osv.dev/vulnerability/GHSA-3p8m-j85q-pgmj
What are Similar Vulnerabilities to CVE-2025-58057?
Similar Vulnerabilities: CVE-2021-39147 , CVE-2018-1000632 , CVE-2018-1000633 , CVE-2017-10116 , CVE-2017-10115
