{"uuid": "1c11ce6e-853d-4a60-a636-6887ba2f1bda", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-389X-839F-4RHX", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/4455", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-25193\n\ud83d\udd25 CVSS Score: 5.4 (CVSS_V3)\n\ud83d\udd39 Description: ### Summary\nAn unsafe reading of environment file could potentially cause a denial of service in Netty.\nWhen loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.\n\n### Details\nA similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\nThis issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.\n\n\n### PoC\nThe PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00.\nWhen the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character.\n\n### Impact\nImpact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\n\ud83d\udccf Published: 2025-02-10T18:14:47Z\n\ud83d\udccf Modified: 2025-02-14T15:02:31Z\n\ud83d\udd17 References:\n1. https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx\n2. https://nvd.nist.gov/vuln/detail/CVE-2025-25193\n3. https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386\n4. https://github.com/netty/netty", "creation_timestamp": "2025-02-14T15:15:16.000000Z"}