Vulnerable Library - spring-boot-starter-data-redis-reactive-3.1.12.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-data-redis-reactive version) |
Remediation Possible** |
| CVE-2026-42583 |
 High |
7.5 |
netty-codec-4.1.110.Final.jar |
Transitive |
3.2.2 |
❌ |
| CVE-2025-24970 |
High |
7.5 |
netty-handler-4.1.110.Final.jar |
Transitive |
3.2.0 |
❌ |
| CVE-2025-25193 |
 Medium |
5.5 |
netty-common-4.1.110.Final.jar |
Transitive |
3.2.0 |
❌ |
| CVE-2024-47535 |
Medium |
5.5 |
netty-common-4.1.110.Final.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-58057 |
Medium |
5.3 |
netty-codec-4.1.110.Final.jar |
Transitive |
3.2.2 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Dependency Hierarchy:
- spring-boot-starter-data-redis-reactive-3.1.12.jar (Root Library)
- spring-boot-starter-data-redis-3.1.12.jar
- lettuce-core-6.2.7.RELEASE.jar
- netty-handler-4.1.110.Final.jar
- ❌ netty-codec-4.1.110.Final.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.2
Step up your Open Source Security Game with Mend here
CVE-2025-24970
Vulnerable Library - netty-handler-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.110.Final/netty-handler-4.1.110.Final.jar
Dependency Hierarchy:
- spring-boot-starter-data-redis-reactive-3.1.12.jar (Root Library)
- spring-boot-starter-data-redis-3.1.12.jar
- lettuce-core-6.2.7.RELEASE.jar
- ❌ netty-handler-4.1.110.Final.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-handler): 4.1.118.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.0
Step up your Open Source Security Game with Mend here
CVE-2025-25193
Vulnerable Library - netty-common-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.110.Final/netty-common-4.1.110.Final.jar
Dependency Hierarchy:
- spring-boot-starter-data-redis-reactive-3.1.12.jar (Root Library)
- spring-boot-starter-data-redis-3.1.12.jar
- lettuce-core-6.2.7.RELEASE.jar
- ❌ netty-common-4.1.110.Final.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.0
Step up your Open Source Security Game with Mend here
CVE-2024-47535
Vulnerable Library - netty-common-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.110.Final/netty-common-4.1.110.Final.jar
Dependency Hierarchy:
- spring-boot-starter-data-redis-reactive-3.1.12.jar (Root Library)
- spring-boot-starter-data-redis-3.1.12.jar
- lettuce-core-6.2.7.RELEASE.jar
- ❌ netty-common-4.1.110.Final.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution: io.netty:netty-common:4.1.115.Final
Step up your Open Source Security Game with Mend here
CVE-2025-58057
Vulnerable Library - netty-codec-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Dependency Hierarchy:
- spring-boot-starter-data-redis-reactive-3.1.12.jar (Root Library)
- spring-boot-starter-data-redis-3.1.12.jar
- lettuce-core-6.2.7.RELEASE.jar
- netty-handler-4.1.110.Final.jar
- ❌ netty-codec-4.1.110.Final.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.2
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-codec-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-handler-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.110.Final/netty-handler-4.1.110.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-handler): 4.1.118.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.110.Final/netty-common-4.1.110.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution (io.netty:netty-common): 4.1.118.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.110.Final/netty-common-4.1.110.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Publish Date: 2024-11-12
URL: CVE-2024-47535
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3w-v528-46rv
Release Date: 2024-11-12
Fix Resolution: io.netty:netty-common:4.1.115.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-codec-4.1.110.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.110.Final/netty-codec-4.1.110.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-redis-reactive): 3.2.2
Step up your Open Source Security Game with Mend here