Bug 2393000 (CVE-2025-58057)

Summary: CVE-2025-58057 netty-codec: netty-codec-compression: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, anstephe, anthomas, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, dsimansk, eaguilar, ebaron, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jcantril, jkoehler, jmartisk, jnethert, joehler, jolong, jpechane, jrokos, jross, jsamir, jscholz, juwatts, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lcouzens, lphiri, lthon, manderse, matzew, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, parichar, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, tmalecek, tom.jenkinson, tqvarnst, vkrizan, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-03 22:01:12 UTC
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

Comment 2 errata-xmlrpc 2025-10-23 17:50:42 UTC
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.3

Via RHSA-2025:19077 https://access.redhat.com/errata/RHSA-2025:19077