Moderate severityNVD Advisory· Published Feb 10, 2025· Updated Feb 21, 2025

Denial of Service attack on windows app using Netty

CVE-2025-25193

Description

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.netty:netty-commonMaven	< 4.1.118.Final	4.1.118.Final

Affected products

Netty/Nettyv5
Range: <= 4.1.118

Patches

d1fbda62d3a4

Merge commit from fork

https://github.com/netty/nettyNorman MaurerFeb 10, 2025via ghsa

commit

2 files changed · +38 −9

common/src/main/java/io/netty/util/internal/BoundedInputStream.java+2 −6 modified

@@ -40,11 +40,9 @@ public int read() throws IOException {
         checkMaxBytesRead();
 
         int b = super.read();
-        if (b > 0) {
+        if (b != -1) {
             numRead++;
         }
-
-        checkMaxBytesRead();
         return b;
     }
 
@@ -57,11 +55,9 @@ public int read(byte[] buf, int off, int len) throws IOException {
 
         int b = super.read(buf, off, num);
 
-        if (b > 0) {
+        if (b != -1) {
             numRead += b;
         }
-
-        checkMaxBytesRead();
         return b;
     }

common/src/test/java/io/netty/util/internal/BoundedInputStreamTest.java+36 −3 modified

@@ -15,20 +15,22 @@
  */
 package io.netty.util.internal;
 
+import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.function.Executable;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Arrays;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class BoundedInputStreamTest {
 
-    @Test
+    @RepeatedTest(50)
     void testBoundEnforced() throws IOException {
         final byte[] bytes = new byte[64];
         PlatformDependent.threadLocalRandom().nextBytes(bytes);
@@ -38,19 +40,50 @@ void testBoundEnforced() throws IOException {
         assertThrows(IOException.class, new Executable() {
             @Override
             public void execute() throws Throwable {
-                reader.read(new byte[64], 0, 64);
+                int max = bytes.length;
+                do {
+                    int result = reader.read(new byte[max], 0, max);
+                    assertThat(result).isNotEqualTo(-1);
+                    max -= result;
+                } while (max > 0);
             }
         });
         reader.close();
     }
 
     @Test
+    void testBoundEnforced256() throws IOException {
+        final byte[] bytes = new byte[256];
+        for (int i = 0; i < bytes.length; i++) {
+            bytes[i] = (byte) i;
+        }
+        final BoundedInputStream reader = new BoundedInputStream(new ByteArrayInputStream(bytes), bytes.length - 1);
+        for (byte expectedByte : bytes) {
+            assertEquals(expectedByte, (byte) reader.read());
+        }
+
+        assertThrows(IOException.class, new Executable() {
+            @Override
+            public void execute() throws Throwable {
+                reader.read();
+            }
+        });
+        assertThrows(IOException.class, new Executable() {
+            @Override
+            public void execute() throws Throwable {
+                reader.read(new byte[1], 0, 1);
+            }
+        });
+        reader.close();
+    }
+
+    @RepeatedTest(50)
     void testBigReadsPermittedIfUnderlyingStreamIsSmall() throws IOException {
         final byte[] bytes = new byte[64];
         PlatformDependent.threadLocalRandom().nextBytes(bytes);
         final BoundedInputStream reader = new BoundedInputStream(new ByteArrayInputStream(bytes), 8192);
         final byte[] buffer = new byte[10000];
-        reader.read(buffer, 0, 10000);
+        assertThat(reader.read(buffer, 0, 10000)).isEqualTo(64);
         assertArrayEquals(bytes, Arrays.copyOfRange(buffer, 0, 64));
         reader.close();
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-389x-839f-4rhxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-25193ghsaADVISORY
github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386ghsax_refsource_MISCWEB
github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhxghsax_refsource_CONFIRMWEB
security.netapp.com/advisory/ntap-20250221-0006ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000