CVE-2025-58057: 
Java vulnerability analysis and mitigation

CVE-2025-58057 affects Netty, an asynchronous event-driven network application framework. The vulnerability was discovered in netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below. The issue was disclosed on September 3, 2025, and involves a denial of service vulnerability in the BrotliDecoder and other decompression decoders (GitHub Advisory, NVD).

The vulnerability stems from BrotliDecoder.decompress having no limit on how often it calls pull, decompressing data 64K bytes at a time. When processing specially crafted input, the decoders will allocate a large number of reachable byte buffers, which remain reachable until an Out of Memory (OOM) condition occurs. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, and is classified as CWE-409 (Improper Handling of Highly Compressed Data) (GitHub Advisory).

The vulnerability can lead to denial of service through a zip bomb-style attack. When exploited, it causes the allocation of a large number of byte buffers that remain in memory, eventually leading to an Out of Memory condition that can crash the application (GitHub Advisory).

The vulnerability has been fixed in netty-codec version 4.1.125.Final and netty-codec-compression version 4.2.5.Final. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory, NVD).