Is io.netty:netty-handler affected by CVE-2025-24970?

Maven io.netty:netty-handler is affected in >=4.1.91.Final <4.1.118.Final.

Is CVE-2025-24970 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 2.0%.

high

CVE-2025-24970

Q: Is CVE-2025-24970 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 2.0%.

Maven · io.netty:netty-handler

Summary

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Severity: high
EPSS: 2.0% (p78)
Also known as: GHSA-4g8c-wm8x-jfhw
Published: 2025-02-10

References

https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
https://nvd.nist.gov/vuln/detail/CVE-2025-24970
https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4

Related advisories

CVE-2026-50010 — high · Maven/io.netty:netty-handler
CVE-2026-45416 — high · Maven/io.netty:netty-handler
CVE-2026-44249 — high · Maven/io.netty:netty-handler

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.