CVE-2025-58057: Netty's decoders vulnerable to DoS via zip bomb style attack

September 3, 2025 (updated September 4, 2025)

With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.

References

github.com/advisories/GHSA-3p8m-j85q-pgmj
github.com/netty/netty
github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
nvd.nist.gov/vuln/detail/CVE-2025-58057

Code Behaviors & Features

Detect and mitigate CVE-2025-58057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →