{"id":"CVE-2025-58057","summary":"Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack","details":"Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.","aliases":["GHSA-3p8m-j85q-pgmj"],"modified":"2026-04-02T12:56:00.873425Z","published":"2025-09-03T21:46:49.928Z","related":["CGA-wmp8-rwrx-3h9c","SUSE-SU-2025:03114-1","openSUSE-SU-2025:15520-1"],"database_specific":{"cwe_ids":["CWE-409"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58057.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58057.json"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58057"},{"type":"FIX","url":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"56ea9763c6ac550f0f8ab7849ef0af21532643cb"},{"introduced":"09e64d259c99be8b5b2a471a78f11e65eb82598a"},{"fixed":"406a58fd36e351b299553b3ceba5708f40a6153d"},{"fixed":"9d804c54ce962408ae6418255a83a13924f7145d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.125"},{"introduced":"4.2.0"},{"fixed":"4.2.5"}]}}],"versions":["netty-3.10.0.Final","netty-3.10.1.Final","netty-3.10.2.Final","netty-3.10.3.Final","netty-3.10.4.Final","netty-3.10.5.Final","netty-3.10.6.Final","netty-3.2.10.Final","netty-3.2.4.Final","netty-3.2.5.Final","netty-3.2.6.Final","netty-3.2.7.Final","netty-3.2.8.Final","netty-3.2.9.Final","netty-3.3.0.Final","netty-3.3.1.Final","netty-3.4.0.Alpha1","netty-3.4.0.Alpha2","netty-3.4.0.Beta1","netty-3.4.0.Final","netty-3.4.1.Final","netty-3.4.2.Final","netty-3.4.3.Final","netty-3.4.4.Final","netty-3.4.5.Final","netty-3.4.6.Final","netty-3.5.0.Beta1","netty-3.5.0.Final","netty-3.5.1.Final","netty-3.5.10.Final","netty-3.5.11.Final","netty-3.5.12.Final","netty-3.5.13.Final","netty-3.5.2.Final","netty-3.5.3.Final","netty-3.5.4.Final","netty-3.5.5.Final","netty-3.5.6.Final","netty-3.5.7.Final","netty-3.5.8.Final","netty-3.5.9.Final","netty-3.6.0.Beta1","netty-3.6.0.Final","netty-3.6.1.Final","netty-3.6.10.Final","netty-3.6.2.Final","netty-3.6.3.Final","netty-3.6.4.Final","netty-3.6.5.Final","netty-3.6.6.Final","netty-3.6.7.Final","netty-3.6.8.Final","netty-3.6.9.Final","netty-3.7.0.Final","netty-3.7.1.Final","netty-3.8.0.Final","netty-3.8.1.Final","netty-3.8.2.Final","netty-3.8.3.Final","netty-3.9.0.Final","netty-3.9.1.1.Final","netty-3.9.1.Final","netty-3.9.2.Final","netty-3.9.3.Final","netty-3.9.4.Final","netty-3.9.5.Final","netty-3.9.6.Final","netty-3.9.7.Final","netty-3.9.8.Final","netty-3.9.9.Final","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR6","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.16.Final","netty-4.0.17.Final","netty-4.0.18.Final","netty-4.0.19.Final","netty-4.0.2.Final","netty-4.0.20.Final","netty-4.0.21.Final","netty-4.0.22.Final","netty-4.0.23.Final","netty-4.0.24.Final","netty-4.0.25.Final","netty-4.0.26.Final","netty-4.0.27.Final","netty-4.0.28.Final","netty-4.0.29.Final","netty-4.0.3.Final","netty-4.0.30.Final","netty-4.0.31.Final","netty-4.0.32.Final","netty-4.0.33.Final","netty-4.0.34.Final","netty-4.0.35.Final","netty-4.0.36.Final","netty-4.0.37.Final","netty-4.0.38.Final","netty-4.0.39.Final","netty-4.0.4.Final","netty-4.0.40.Final","netty-4.0.41.Final","netty-4.0.42.Final","netty-4.0.43.Final","netty-4.0.44.Final","netty-4.0.45.Final","netty-4.0.46.Final","netty-4.0.47.Final","netty-4.0.48.Final","netty-4.0.49.Final","netty-4.0.5.Final","netty-4.0.50.Final","netty-4.0.51.Final","netty-4.0.52.Final","netty-4.0.53.Final","netty-4.0.54.Final","netty-4.0.55.Final","netty-4.0.56.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.0.9.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.100.Final","netty-4.1.101.Final","netty-4.1.102.Final","netty-4.1.103.Final","netty-4.1.104.Final","netty-4.1.105.Final","netty-4.1.106.Final","netty-4.1.107.Final","netty-4.1.108.Final","netty-4.1.109.Final","netty-4.1.11.Final","netty-4.1.110.Final","netty-4.1.111.Final","netty-4.1.112.Final","netty-4.1.113.Final","netty-4.1.114.Final","netty-4.1.115.Final","netty-4.1.116.Final","netty-4.1.117.Final","netty-4.1.118.Final","netty-4.1.119.Final","netty-4.1.12.Final","netty-4.1.120.Final","netty-4.1.121.Final","netty-4.1.122.Final","netty-4.1.123.Final","netty-4.1.124.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.60.Final","netty-4.1.61.Final","netty-4.1.62.Final","netty-4.1.63.Final","netty-4.1.64.Final","netty-4.1.65.Final","netty-4.1.66.Final","netty-4.1.67.Final","netty-4.1.68.Final","netty-4.1.69.Final","netty-4.1.7.Final","netty-4.1.70.Final","netty-4.1.71.Final","netty-4.1.72.Final","netty-4.1.73.Final","netty-4.1.74.Final","netty-4.1.75.Final","netty-4.1.76.Final","netty-4.1.77.Final","netty-4.1.78.Final","netty-4.1.79.Final","netty-4.1.8.Final","netty-4.1.80.Final","netty-4.1.81.Final","netty-4.1.82.Final","netty-4.1.83.Final","netty-4.1.84.Final","netty-4.1.85.Final","netty-4.1.86.Final","netty-4.1.87.Final","netty-4.1.88.Final","netty-4.1.89.Final","netty-4.1.9.Final","netty-4.1.90.Final","netty-4.1.91.Final","netty-4.1.92.Final","netty-4.1.93.Final","netty-4.1.94.Final","netty-4.1.95.Final","netty-4.1.96.Final","netty-4.1.97.Final","netty-4.1.98.Final","netty-4.1.99.Final","netty-4.2.0.Alpha1","netty-4.2.0.Alpha2","netty-4.2.0.Alpha3","netty-4.2.0.Alpha4","netty-4.2.0.Alpha5","netty-4.2.0.Alpha6","netty-4.2.0.Beta1","netty-4.2.0.Final","netty-4.2.0.RC1","netty-4.2.0.RC2","netty-4.2.0.RC3","netty-4.2.0.RC4","netty-4.2.1.Final","netty-4.2.2.Final","netty-4.2.3.Final","netty-4.2.4.Final","netty-5.0.0.Alpha1","netty-5.0.0.Alpha2","netty-5.0.0.Alpha3","netty-5.0.0.Alpha4","netty-5.0.0.Alpha5","netty-tag"],"database_specific":{"vanir_signatures":[{"target":{"file":"codec-compression/src/main/java/io/netty/handler/codec/compression/ZstdDecoder.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["84826743833987520222283554709558419461","229941705159259441117397925904357014489","239758567056483344727097341660781202038","261208025501304973781740736998369336889","282967270068895706348545737734993157931","85292008776335211722731366824354959371","188071552577217312514997923988741278380","227895725838260453036415906869511123839","202053290081678781257846594905908386858","200122463195936398902927258918832294655","290686680299069363964600166107909816618","113704568288568191104840682560531725378","289596453280306157790200283274031731542","2685886786854585040512704178710420950","206495597632853188130230170244816610919","65276116270209034175324250327121027018","195542844370925318137354894029514795698","191767756422951196299506193164322974811","327356853475380713275908024133979049997","194349860813593454596880775168950934168","47699494526886474312980270280702955143","38134056699244433232490580441338578778","295449663740892074914003729330080417147","89108694236075657851873828519620281502","224181327059227181680196846613793236156","83329933797219732100867360834904099335","173752281052659239649013454312398366207","316528865488575753954894228061973043600","127759871132345037676245032368809267528","153355495522813310811436348433104856858","83605324093879460770905426315351268874","289899633187063915752685026579433121464","153283795737243132354442438513254435016","166021160019589265334838985994018939277","70897536007569163031696306297006691898","53922213238176684997021388050923731810","129136780151601444954703730607668328349"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-003c7c6a"},{"target":{"function":"fetchDecoderOutput","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"84591399580489099817280877875592802090","length":226},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-09b50830"},{"target":{"file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["21070106644472642411163165357991913520","28630523934747623019235421561704699253","2138405906502131975829355746933459114","68294833129406119396561928437205024599","298438518424048191741057293147926386993","7632006613650883660595501288707990618","258903918647893143780629350550995327108","260924048074641594442420751807850698633","166535287329824279820000930090951921492","32659038197932099385429209956281360070","288069831071191480474669123104871259079","103370376648111635469952197257427387139","293687545060395275379018563891861589396","102330184835342085977587005850919385274","308697998281167724350767621745116296716","57227917340021918521663617182076963770","66695765695948800712979384861844825671","108517435792108602559283878953716958512","247894135008056791264808141577860752077","262093253258320343059115008440936426998","26631690569737421278092342395285068224","308697998281167724350767621745116296716","22856760116563567373796703553602590491","138719575117423580213395237239434539405","254741334099755843141845902029288877465","245065531818692266452225056784316990805","177526754924630156315136939669805767338","176099464859299572111344184835539478000","151396835454013242812137246959293795773","284981238552930560803090854105965472359","110532055359863654282466362168111602086","26497444386725953043775164350857036398","203855859827786822102628685251104145592","244044274584952353356880478962063418833","153910641668974128496804034994497399363","58231636348791925983101298874454925586","158885963051256514258289112334018038503","160909062602807098028502197638651279208","41820783480482036625352889673559219746","9727828828267891730938944975147176373","90460726870694483045601068608339844575","56744003759911216472171303531851054042","220638497187240943409191370292156889841","237389391425835866159028337159643811602","114926961908343736370483348385043562921","121589400958004186292457645669050050513","109796810045691966195687045459745615104","186513427453349134410335282926893410073","20758443770269692434663311879400233137","65702920612906186697196480827189385492","126501520579213578986326412139839063169","282568185764306528479653869352677833436","339497349135143830975091232579506228591","314928486037388983069867135657363513436","249961858290483438563102959866172738596","319618954983404261598590388720895490672","127478273395961533857187555649849218329","157742317753982349146334234765495140065","37942356903898165323483297809350391003","110517761857978631875167308581603481494","29534424061552703943641806646202012251","188602831789282967293849507122223105284","288035823445035720295663720519376941213","10517893907480336347076584991417254654","58544892019034043721109840407222984398","217867754180361589928740435044500434853","63855836346539645845204677884048146890","131460565192605962264086191951242920929","14882365355235885427304094168597093418","125499539589178639135244558873695295705","7922802419418379556349264734490487064","314342379433508313725529557020123868441","270020961726060210100308174016996958485","265349589515211426117282377515974375097","260374285055496378442990504132241967865","327713355948505373977935838516172425249","208080598995103639966836868487761682584","240186717652437784439067539167883608376","321508585050504892088854371732723954303","144036763083027271697669429218601940659","147375863512338289119562469535885863927","302811203272157671458026663245260072187","115449194749939842375579552588587157037","112681526429912074537961507425384393302","230010660531191395363330243373675796645","39697002736176048099721319156043075268","89215098694372047187464391336130464452","257607441400032448721563896986654184043","253391902394117434007994156490083863990","162133200135950741884807950153288265677","238707279965213893447295303759571002449","255954119693656391753536702909398024338","216060106702970860640020671021873899998","49855039934461436701381969239662762028","149120862757590532766182353258284603693","274324974035086642963314371891610689248","61948111571141237650476708126335709713","248961034222332956762719439179117257623","174940734524200096201703374925626542160","296047922626418234715146453349205888348","221184852175375199786944181617170675290","312718362311871062695707552107527262247","310413695553397128320860444300533868380","211495742739982984344387671827195272663","185129763022106087735836903982097966890","7835173072201490953556520472261605883","132225062967318125981538040577702703656","293809869683197192379470656361752553126","3490311468456870394194501856477239796","148459819568833740497851321387050524065","64251499429382533168594829905670531051","50589984752129776167307631797709278810","125275272397655031471336454463575426969","317145869095197906102535962172833048211","329013678494040115248561647538190415498","169393193988187823737704214414085885755","306205326802619988365210234024222755609","275997902248603082807261335495664832951","246891717462563076390515059522247099785","195681394062720850906605238252684563646","231549539256880877132962880212713939306","291662617272102321154144369857827168222","133685425490539179792610465044886600642","31086291600014481395011596023699208434","92819482674135838356106466301387309845","32333184371224667454824871746035186594","173895659612639665217473437224065710956","121122513405308211826251990703042266938","55401027835787496353917429045347203148","161309706297507129901312737917970809433","171359684834033381543126176918654047547","176664992092766167134690723869342533746","74486274242574829635956712550407081314","98453844651364641364221540163373547458","187995677738033607212035410726327277950","180707698902078489725933989335210351580","216881358701928287488400864317089585957","137519229447024342933979597845758279384","125262461533297137252579420873311518534"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-0b4b45df"},{"target":{"function":"decode","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/JdkZlibDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"237093866007197301039866889987292439795","length":2211},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-137f161f"},{"target":{"function":"initDecompressor","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"85485276112350423554108146650243532129","length":918},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-203160af"},{"target":{"function":"finishDecode","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"128529550446250667395255772416732240114","length":106},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-259f213d"},{"target":{"function":"cleanup","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"333459057555930873248875541800989885231","length":91},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-278a755e"},{"target":{"function":"decode","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"172921042970838765478855879025941872667","length":115},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-29288c79"},{"target":{"function":"decode","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/JZlibDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"219491896229261089869829332448877294770","length":1802},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-2e5a9b21"},{"target":{"file":"codec-compression/src/main/java/io/netty/handler/codec/compression/JdkZlibDecoder.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["50227978872564600166739421734948961336","321980111644006374505188148257626981338","340116659503390931679422203081276361541","283444430346391828646878798444325365822","89459552054980669912192970888530479263","281114148932935269604948560364708419714","152955050723471843242357227341147552929","211557151857904349972064370027057205627","57548714762238526525360210889620021594","184806409170713981761749669364018201916","38118116704580477249120830512208909021","83241883956933913414736731523810173464","175766440334728265578738781158110486513","36406358116883541195996368638853416242","116407740569126125838587320801874594716","233217937272850647061330435860862742828","4589800041346265903675128032475247703","79018805468961241566761878703444233068","281519301153537763271637722339762352408","32225114521461809360822447301266951842","137384409615329759587724928428268012128"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-38b8b12b"},{"target":{"function":"pull","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/BrotliDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"205641234953711698739466724074371077490","length":163},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-3f54bf51"},{"target":{"file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["49847817752980390114868309661774052838","247136685600072752434569622639393744589","297665971171062092428671293292229051223","261786752031115732091528522126321145340","112760020041920330585826881545223646921","88663155210984623319082725582783668998","202427746593638031048898806860733346739","154693959272804258072828848682895179024","208708129810335188693945886836075104513","314616058756422871602338084242212966988","161489160701894446524566094198784409506","15315161938392534846411764561621872391","156091823511097273030707436649025668722","136343332430646182335199928944997775483","203190615180437640204669220955022912812","307100665847233921646166764896057653473","99135144399207307535899705024368715842","281173332970523153265075380022509406332","323471927659561631090975856728510587190","68687081297252247930754738873249225204","26846269681070865326126372354044431665","211410433021273537135636982233128610491","122731142986021212889975755983873842316","328981638425864322247370136734056666573","259187029435264779432271652323054017922","60472050980299936312125571869463818071","154451069918709973205475399242615606777","65624477096356351864424664337367656262","100006568847025823323627660687632588203","45682054741040103754972415288494218143","108849948383403544364772203124624478793","141296195622195835001673824244970922185","61380375999545417786736989755609735524","289578555019488362799239966690349487079","233873845007413007516865680554093817586","255168315020467284082124030441934821348","286512030713876855901521463331505911824","156133741320661687838986233864663159422","292234888041445291042227795298524063536","233174043481174037269594435620941928675","330734752664744953811371839480635093123","221035184104252895501669292436103831237","296611773384486857048605100014205108300","144478476891657371162697086420926114618","203274384903160462289652955667936585091","318787209961357938649277963720559210188","52209314947253647881786059301833187101","78316631650311589167550029212267772461","158846297976790447645038530865916512342","139393681925345799939249533575762177856","49508420078398760417283852714214248964","256981651022479207345357468390983289172","318371583715560226931183649855185859169","300129529147231413813844028679438170511","84303014803836146566705889661498236540","97577571385364650822233555707668973784","83458782044319653005750121270740337343","203861735462010345813828563560666821099","18186136727967416352378909674954444228","285804984454250651179264971869399763035","162351075810673874043153594363482205513","233765315769315969649420725407603245374","330136772381831706617647920779748149874","205713797064487798252090431890023052163","227920280408692458173008861373850713580","39321118997839994757415726572168548562","250126746691798888426775757829387588479","314010553127645543005234926760024459092","331841266528951280391386050804447329260","339709403062521269133818221287725206916","77901344641081813462671541027505255716","37913804701398038564259870378719357114","129799849301120242449089122172633265005","271757713861248487227494315421921476461","29857138614102619468263802253725397510","98453844651364641364221540163373547458","187995677738033607212035410726327277950","117371309006420738322061111209803198768","133085623216910322662150214839956273498","148319037118714419946403914563802202963","122125616748444092493625684605121868312","142317544570010483138646260417396823362","284533895064142388734023146868956407048","314275312419474316697701222760311712202","4806233168025239263176334139284775364","146404586370473236075709604640286316169","164255821738424178110053038833399725974","63302846460912190236719099730321635891","313381064420673299766963393429187329871","224763682325927105282555929224339038388","77867128558619736570404513750870952169","15453929459589908874038714840825573690","45209725589485597004820820805071953675","137688524761413122606453713966767300497","70644536210972687059763421283199932964","270946294604492378688860012608544954342","118925338780325078043680054512947064012","183037725950395973886931742363261553169","82493215396332949651488531870609197524","266418509176637968643966107437230501607"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-40b05010"},{"target":{"function":"decode","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/ZstdDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"306142550942240689860119945137618547350","length":766},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-46d7ed8a"},{"target":{"function":"decompress","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/BrotliDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"157022655508322336999011051184159893703","length":615},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-53ccc46c"},{"target":{"function":"decode","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"120133637039794245789121989849225524512","length":2443},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-53f3a22d"},{"target":{"file":"codec-compression/src/test/java/io/netty/handler/codec/compression/AbstractIntegrationTest.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["326497635737594138726506207865574671822","240187244580503969239944819708348331336","207934682111169948569838227422052880096","214253089809270228383494721654543771650","19414580985528469303250024929107498977","61775311609683862587349208014860526607","92475712975278346844180365662696222761","200034894706187050982310534990007702028","134656109783084115965606108428400264678"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-5668f5c2"},{"target":{"file":"codec-compression/src/main/java/io/netty/handler/codec/compression/JZlibDecoder.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["51287705268962105708065164103604460686","99098173747432587612112272108135297088","140288108570657360497118950666795161719","294773193171849401399795182878095291447","89459552054980669912192970888530479263","281114148932935269604948560364708419714","152955050723471843242357227341147552929","211557151857904349972064370027057205627","275610631174398885636184458049773265498","163491747466902960137267799189905711882","99669411913225124588462055415508229238","44572859061143012817343084592437342232","185930459157913346900340019262695644912","258609646858772264883512296916326062339","205983180142357371795666152480300674867","233217937272850647061330435860862742828","4589800041346265903675128032475247703","79018805468961241566761878703444233068","100597443016876687727004006087936272829","279717673262436060827843437195081551953","156240712997195933568202868411074031602","235428265765089159588818989847646407435"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-8da80079"},{"target":{"function":"onDataRead","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"94364127258995703861817147674144913070","length":1519},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-9d4ea528"},{"target":{"function":"nextReadableBuf","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"284570503232053425624677837458346481292","length":205},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-aee4e6b1"},{"target":{"file":"codec-compression/src/main/java/io/netty/handler/codec/compression/BrotliDecoder.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["246746867144801723822021000495893078846","52735931890480528957565938716109722936","158009373995149593188908948409602991798","18643799530920095464822912716450487233","149781973992454070154212447101432611259","14567603969488849155134165721968666432","127045364687810616904293926535219992768","180126249790525556455765857590134067091","3303486786029340879765514926341891329","123777302438306466982384790088940787717","309571633725043986223662972585619693786","322967544796676632429971088372787834788","314174357326937300108886561337255597230","272078770204115530216988240296772106331","248457587009990963219983604683975493510","141781680126290176728177411981037462640","42175728779183215239986383807388375717","306856078048036734272950804165144663195","221527848662153185466621595985950610013","160475614912520958077907307513742679803","148030064345536543693042937815773074188","285989979206942732961356420569697215966","163945776351950060813029480660763140805","223762101345818892708028995707415566316","333002421379919517401611556642696449833","137288654637958078508804003478152603908","282374656775849025775845108243198371983","184840859726497817290661631290951087197","145119103076228360780412552422463820281","205740480170579548296625368420665564608","323709761407359622001475777319244605880","160316562034981742517910978554630276447","13606072055968513023178164503637981826","290465632119740270070795893590388783402","25371623665634777151395928293150596792","301043345182097780441854419382592831437"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-b675444c"},{"target":{"function":"decompressor","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"17763830958181724816069573570587553732","length":40},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-b7504b2d"},{"target":{"file":"codec-http/src/test/java/io/netty/handler/codec/http/HttpContentDecompressorTest.java"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["316665729182614767993164573447248334340","322560326491264177815222516428730136483","47019394391386047969331462269215006450","111181513458150177253306655494952685201","89986118796664824115153983354531740451","194815170588594434916487286416933956133","216128109764002663855362773794145077939","33522733243234075217136225454294422217","17316446052962568199519970784773603708"]},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-c02ae112"},{"target":{"function":"decode","file":"codec-compression/src/main/java/io/netty/handler/codec/compression/BrotliDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"96264874563170004092877696735623810673","length":453},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-c2156e66"},{"target":{"function":"decodeContent","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"184015010100842026049568191315606194418","length":397},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-c89873e6"},{"target":{"function":"handlerAdded","file":"codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecoder.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"191061042635499403767522126697732082226","length":103},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-c9daa209"},{"target":{"function":"onStreamRemoved","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"84732250168648591649283770767316742401","length":130},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-caa54c01"},{"target":{"function":"cleanup","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"253064833729149786296386610386187556537","length":78},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-cdedeb4c"},{"target":{"function":"DelegatingDecompressorFrameListener","file":"codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"7971369392726091110975216962366324015","length":459},"source":"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d","signature_version":"v1","id":"CVE-2025-58057-d29c3d30"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58057.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}