An unsafe reading of environment file could potentially cause a denial of service in Netty.
When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.
A similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv
This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.
The PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00.
When the null-bytes are encountered by the InputStreamReader, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the BufferedReader.readLine(), because the replacement character is not a line-break character.
Impact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv
| Score | Percentile |
|---|---|
| 0.10% | 26.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-389x-839f-4rhx ↗ |
| CVE | CVE-2025-25193 ↗ |
| CWE id | Name |
|---|---|
| CWE-400 | Uncontrolled Resource Consumption |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | io.netty:netty-common | < 4.1.118.Final | 4.1.118.Final | — |