CVE-2025-24970

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Description

### Impact
When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.

‍
### Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:

‍
```
SslContext context = ...;
SslHandler handler = context.newHandler(....);
```

to:

```
SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);
```

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

io.netty:netty-handler >= 4.1.91.Final < 4.1.118.Final

Severity

High

Ecosystem

Java

Publish Date

February 10, 2025

Modified Date

April 16, 2025