CVE-2025-25193

Description

### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. ### Details A similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. ### PoC The PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00. When the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character. ### Impact Impact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv

How to fix CVE-2025-25193

To remediate CVE-2025-25193, upgrade the affected package to a fixed version below.

• —upgrade to 4.1.118.Final or later

Is CVE-2025-25193 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.1.118.Final

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-25193
• PATCHgithub.com/netty/netty
• WEBgithub.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386
• WEBgithub.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx