Vulnerable Library - netty-handler-4.1.119.Final.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-58057
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-handler-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> org.asynchttpclient.netty.channel.ChannelManager (Extension)
-> io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator (Extension)
-> io.netty.handler.codec.MessageAggregator (Extension)
-> ❌ io.netty.handler.codec.MessageAggregationException (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-handler): 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- netty-handler-4.1.119.Final.jar (Root Library)
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (io.netty:netty-handler): 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (io.netty:netty-handler): 4.1.125.Final
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (io.netty:netty-handler): 4.1.133.Final
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.