CVE-2025-24970

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Description

Impact

When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.

Workarounds

As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:

SslContext context = ...;
SslHandler handler = context.newHandler(....);

to:

SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

7.5

Severity

High

Ecosystem

Java

Publish Date

February 10, 2025

Modified Date

February 3, 2026

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions