CVE-2025-25193: 
Java vulnerability analysis and mitigation

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. The vulnerability was discovered on February 10, 2025, and affects Windows applications using Netty. This is a follow-up issue to a previously reported vulnerability (CVE-2024-47535), where the initial fix was incomplete (GitHub Advisory).

The vulnerability stems from an unsafe reading of environment files where null-bytes were not counted against the input limit in the BoundedInputStream. When loaded on a Windows application, Netty attempts to load a non-existent file. The issue occurs because the InputStreamReader issues replacement characters during charset decoding for null-bytes, which fills up the line-buffer in BufferedReader.readLine() as the replacement character is not a line-break character. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

If exploited, this vulnerability can lead to a denial of service condition in Netty applications running on Windows. When an attacker creates a large file containing null-bytes, it can cause the Netty application to crash (GitHub Advisory).

The issue has been fixed in commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386, which modifies the BoundedInputStream to properly count all byte values toward the limit and only consider -1 as EOF. The fix ensures that the BoundedInputStream truncates and allows reads up to the limit, only triggering an exception when reading beyond the limit (GitHub Commit).