CVE-2025-58057: 
Java vulnerability analysis and mitigation

CVE-2025-58057 affects Netty, an asynchronous event-driven network application framework. The vulnerability was discovered in netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, where BrotliDecoder and certain other decompression decoders are susceptible to a denial of service attack through improper handling of compressed data. The vulnerability was disclosed on September 3, 2025 (GitHub Advisory).

The vulnerability stems from BrotliDecoder.decompress having no limit on how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list and remain reachable until an Out of Memory Error (OOM) is hit, effectively creating a zip bomb scenario. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, indicating it can be exploited remotely with low attack complexity (GitHub Advisory, Snyk).

When exploited, this vulnerability can lead to denial of service through memory exhaustion. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations (Snyk).

The vulnerability has been fixed in netty-codec version 4.1.125.Final and netty-codec-compression version 4.2.5.Final. Users are advised to upgrade to these patched versions. The fix ensures that decompressing decoders fire their buffers through the pipeline as fast as possible, allowing users to take ownership of these buffers quickly and reducing the risk of Out of Memory Errors (GitHub Commit).