Vulnerability-Lookup

RHSA-2026:3951

Vulnerability from csaf_redhat - Published: 2026-03-05 20:00 - Updated: 2026-03-30 15:53

Summary

Red Hat Security Advisory: JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.

Severity

Important

Notes

Topic: JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.

Details: JBoss EAP XP 5.0 Update 4.0 GA release. See references for release notes. Security Fix(es): * vertx-core: static handler component cache can be manipulated to deny the access to static files [eapxp-5] (CVE-2026-1002) * netty-codec: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack [eapxp-5] (CVE-2025-58057) * lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [eapxp-5] (CVE-2025-66566) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-58057

A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index https://access.redhat.com/errata/RHSA-2026:3951

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVE-2025-66566

A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-908 - Use of Uninitialized Resource

CVE-2026-1002

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Workaround To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example: ~~~ StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); ~~~

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:3951	self
	https://access.redhat.com/security/updates/classi…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://access.redhat.com/security/cve/CVE-2026-1002	external
	https://access.redhat.com/security/cve/CVE-2025-58057	external
	https://access.redhat.com/security/cve/CVE-2025-66566	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2025-58057	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2393000	external
	https://www.cve.org/CVERecord?id=CVE-2025-58057	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-58057	external
	https://github.com/netty/netty/commit/9d804c54ce9…	external
	https://github.com/netty/netty/security/advisorie…	external
	https://access.redhat.com/security/cve/CVE-2025-66566	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2419500	external
	https://www.cve.org/CVERecord?id=CVE-2025-66566	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-66566	external
	https://github.com/yawkat/lz4-java/commit/33d180c…	external
	https://github.com/yawkat/lz4-java/security/advis…	external
	https://access.redhat.com/security/cve/CVE-2026-1002	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2430180	external
	https://www.cve.org/CVERecord?id=CVE-2026-1002	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-1002	external
	https://github.com/eclipse-vertx/vert.x/pull/5895	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss EAP XP 5.0 Update 4.0 GA release. See references for release notes.\n\nSecurity Fix(es):\n\n* vertx-core: static handler component cache can be manipulated to deny the access to static files [eapxp-5] (CVE-2026-1002)\n\n* netty-codec: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack [eapxp-5] (CVE-2025-58057)\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [eapxp-5] (CVE-2025-66566)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:3951",
        "url": "https://access.redhat.com/errata/RHSA-2026:3951"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/red_hat_jboss_eap_xp_5.0_release_notes/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/red_hat_jboss_eap_xp_5.0_release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-1002",
        "url": "https://access.redhat.com/security/cve/CVE-2026-1002"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-58057",
        "url": "https://access.redhat.com/security/cve/CVE-2025-58057"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66566",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66566"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3951.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.",
    "tracking": {
      "current_release_date": "2026-03-30T15:53:00+00:00",
      "generator": {
        "date": "2026-03-30T15:53:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:3951",
      "initial_release_date": "2026-03-05T20:00:33+00:00",
      "revision_history": [
        {
          "date": "2026-03-05T20:00:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-05T20:00:33+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-30T15:53:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP XP 5.0 Update 4.0",
                "product": {
                  "name": "Red Hat JBoss EAP XP 5.0 Update 4.0",
                  "product_id": "Red Hat JBoss EAP XP 5.0 Update 4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-58057",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2025-09-03T22:00:48.401986+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2393000"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Moderate for Red Hat products. A flaw in Netty\u0027s BrotliDecoder and other decompression decoders can lead to a denial of service when processing specially crafted input. This affects various Red Hat products that utilize Netty for network communication and data decompression. Using BrotliDecoder on untrusted input is entirely",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP XP 5.0 Update 4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58057"
        },
        {
          "category": "external",
          "summary": "RHBZ#2393000",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393000"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58057",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d",
          "url": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj"
        }
      ],
      "release_date": "2025-09-03T21:46:49.928000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-05T20:00:33+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:3951"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack"
    },
    {
      "cve": "CVE-2025-66566",
      "cwe": {
        "id": "CWE-908",
        "name": "Use of Uninitialized Resource"
      },
      "discovery_date": "2025-12-05T19:00:50.134024+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419500"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP XP 5.0 Update 4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66566"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419500",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
        },
        {
          "category": "external",
          "summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
          "url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
        },
        {
          "category": "external",
          "summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
          "url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
        }
      ],
      "release_date": "2025-12-05T18:10:16.470000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-05T20:00:33+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:3951"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
    },
    {
      "cve": "CVE-2026-1002",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-01-15T21:03:20.088599+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2430180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability allows a remote attacker to block access to specific static files, such as images, CSS or HTML files. However, the underlying Vert.x server, the API endpoints and other non-cached resources are not affected. Due to this reason, this issue has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP XP 5.0 Update 4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "RHBZ#2430180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-1002",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse-vertx/vert.x/pull/5895",
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "release_date": "2026-01-15T20:50:25.642000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-05T20:00:33+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:3951"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example:\n\n~~~\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\n~~~",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP XP 5.0 Update 4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files"
    }
  ]
}

CVE-2025-58057 (GCVE-0-2025-58057)

Vulnerability from cvelistv5 – Published: 2025-09-03 21:46 – Updated: 2025-09-04 19:59

Title

Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM
	https://github.com/netty/netty/commit/9d804c54ce9…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	netty	netty	Affected: <= 4.1.124.Final, < 4.1.125.Final Affected: <= 4.2.4.Final, < 4.2.5.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58057",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-04T19:59:14.684509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-04T19:59:23.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 4.1.124.Final, \u003c 4.1.125.Final"
            },
            {
              "status": "affected",
              "version": "\u003c= 4.2.4.Final,  \u003c 4.2.5.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T21:46:49.928Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj"
        },
        {
          "name": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d"
        }
      ],
      "source": {
        "advisory": "GHSA-3p8m-j85q-pgmj",
        "discovery": "UNKNOWN"
      },
      "title": "Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58057",
    "datePublished": "2025-09-03T21:46:49.928Z",
    "dateReserved": "2025-08-22T14:30:32.221Z",
    "dateUpdated": "2025-09-04T19:59:23.458Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-66566 (GCVE-0-2025-66566)

Vulnerability from cvelistv5 – Published: 2025-12-05 18:10 – Updated: 2025-12-05 18:27

Title

yawkat LZ4 Java has a possible information leak in Java safe decompressor

Summary

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yawkat/lz4-java/security/advis…	x_refsource_CONFIRM
	https://github.com/yawkat/lz4-java/commit/33d180c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yawkat	lz4-java	Affected: < 1.10.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66566",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T18:27:10.782475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T18:27:32.797Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lz4-java",
          "vendor": "yawkat",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T18:10:16.470Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
        },
        {
          "name": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
        }
      ],
      "source": {
        "advisory": "GHSA-cmp6-m4wj-q63q",
        "discovery": "UNKNOWN"
      },
      "title": "yawkat LZ4 Java has a possible information leak in Java safe decompressor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66566",
    "datePublished": "2025-12-05T18:10:16.470Z",
    "dateReserved": "2025-12-04T16:17:35.385Z",
    "dateUpdated": "2025-12-05T18:27:32.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1002 (GCVE-0-2026-1002)

Vulnerability from cvelistv5 – Published: 2026-01-15 20:50 – Updated: 2026-01-15 21:09

Title

Eclipse Vert.x Web static handler file access denial

Summary

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE

CWE-444

Assigner

eclipse

References

URL

Tags

https://github.com/eclipse-vertx/vert.x/pull/5895

patch

Impacted products

	Vendor	Product	Version
	Eclipse Vert.x	Eclipse Vert.x	Affected: 4.0.0 , ≤ 4.5.23 (semver) Affected: 5.0.0 , ≤ 5.0.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1002",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-15T21:07:25.597990Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T21:09:22.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vert-x3/vertx-web/issues/2836"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "io.vertx",
          "product": "Eclipse Vert.x",
          "repo": "https://github.com/eclipse-vertx/vert.x",
          "vendor": "Eclipse Vert.x",
          "versions": [
            {
              "lessThanOrEqual": "4.5.23",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.0.6",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\u003c/p\u003e\n\u003cp\u003eThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/eclipse-vertx/vert.x/pull/5895\"\u003ehttps://github.com/eclipse-vertx/vert.x/pull/5895\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\"\u003e\u003c/a\u003e\u003c/h2\u003e\u003ch2\u003eSteps to reproduce\u003c/h2\u003e\n\u003cp\u003eGiven a file served by the static handler, craft an URI that introduces a string like \u003ccode\u003ebar%2F..%2F\u003c/code\u003e after the last \u003ccode\u003e/\u003c/code\u003e char to deny the access to the URI with an HTTP 404 response. For example \u003ccode\u003ehttps://example.com/foo/index.html\u003c/code\u003e can be denied with \u003ccode\u003ehttps://example.com/foo/bar%2F..%2Findex.html\u003c/code\u003e\u003c/p\u003e\u003ch2\u003eMitgation\u003c/h2\u003e\n\u003cp\u003eDisabling Static Handler cache fixes the issue.\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003eStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T20:50:25.642Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse Vert.x Web static handler file access denial",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-1002",
    "datePublished": "2026-01-15T20:50:25.642Z",
    "dateReserved": "2026-01-15T18:23:48.276Z",
    "dateUpdated": "2026-01-15T21:09:22.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:3951

CVE-2025-58057 (GCVE-0-2025-58057)

CVE-2025-66566 (GCVE-0-2025-66566)

CVE-2026-1002 (GCVE-0-2026-1002)

Tags

Sightings

Nomenclature