CVE-2025-24970 – Netty SslHandler native crash
Severity: Low2025-12-19
Abstract
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v7.1 and older | None | Oxygen Content Fusion 8.0 build 2025031016 |
| Oxygen XML Editor v27.0 and older | Low | Oxygen XML Editor 27.1 build 2025032106 |
| Oxygen XML Author v27.0 and older | Low | Oxygen XML Editor 27.1 build 2025032106 |
| Oxygen XML Developer v27.0 and older | Low | Oxygen XML Editor 27.1 build 2025032106 |
Detail
CVE-2025-24970
Severity: High
CVSS Score: 7.5
Component: Netty (io.netty:netty-handler). CVE-2025-24970 affects Netty 4.1.91.Final through 4.1.117.Final. When a specially crafted packet is processed by SslHandler, input validation may fail in certain cases, leading to a native process crash (denial of service). The issue is fixed in Netty 4.1.118.Final. Upstream-reported workarounds include disabling the native SSLEngine or applying code changes to avoid the vulnerable path.
Starting woth Oxygen XML Editor version 27.1 build 2025032106 Netty library was updated to a non-vulnerable release.
Starting with Oxygen Content Fusion version 8.0 build 2025031016 Netty library was updated to a non-vulnerable release.
