CVE-2025-24970:
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
7.5
CVSS ScoreBasic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.netty:netty-handler | maven | >= 4.1.91.Final, <= 4.1.117.Final | 4.1.118.Final |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (GHSA-4g8c-wm8x-jfhw / CVE-2025-24970) states that SslHandler doesn't correctly validate specially crafted packets when using the native SSLEngine, leading to a potential native crash. The provided commit (87f40725155b2f89adfde68c7732f97c153676c4) directly addresses these validation issues in key methods.
-
io.netty.handler.ssl.SslUtils.getEncryptedPacketLength
(multiple overloads): These static utility methods are responsible for determining the length of an incoming SSL/TLS packet from various buffer types. The patches introduce crucial boundary checks (e.g., ensuring enough bytes are available to read a complete header) and refine logic for specific scenarios (e.g., SSLv2 packet handling, iterating over buffer arrays). Failures in these methods to correctly validate input and determine packet lengths would provide erroneous data to the packet processing logic. -
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap
: This method, part of the native SSLEngine implementation, consumes the packet length determined bySslUtils
. The patch adds an assertion (assert packetLength >= 0;
) and the commit message implies improved handling of error codes fromSslUtils
. This suggests that previously, invalid packet lengths or unhandled error codes fromSslUtils.getEncryptedPacketLength
could be passed into the unwrap logic, leading to incorrect processing, buffer mismanagement, and ultimately the described native crash when interacting with the underlying OpenSSL library.
These functions are fundamental to the initial parsing and validation of SSL/TLS records. The fixes applied directly target the 'improper input validation' (CWE-20) that could be exploited by a specially crafted packet.