CVE-2025-24970: 
Java vulnerability analysis and mitigation

Netty, an asynchronous, event-driven network application framework, contains a vulnerability (CVE-2025-24970) affecting versions from 4.1.91.Final up to 4.1.117.Final. The vulnerability was discovered and disclosed on February 10, 2025, impacting the SslHandler component when processing specially crafted packets (GitHub Advisory, NVD).

The vulnerability stems from improper input validation (CWE-20) in Netty's SslHandler component when handling SSL/TLS packets. When a specially crafted packet is received via SslHandler, the validation process fails to handle all cases correctly, which can trigger a native crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Red Hat, GitHub Advisory).

The vulnerability directly impacts the stability and reliability of applications using native SSLEngine. When exploited, it can lead to a complete process termination, potentially causing a Denial of Service (DoS) that affects high-availability systems and mission-critical services (Red Hat).

A patch is available in version 4.1.118.Final. For users unable to upgrade immediately, two workarounds are available: either disable the usage of the native SSLEngine, or modify the code to use explicit SSLEngine instantiation by changing from 'SslContext context = ...; SslHandler handler = context.newHandler(...);' to 'SslContext context = ...; SSLEngine engine = context.newEngine(...); SslHandler handler = new SslHandler(engine, ...);' (GitHub Advisory).