Security vuln in aws sdk, via third-party (netty-nio-client) CVE-2025-25193

[cedthivierge]

Describe the bug

Please See : https://nvd.nist.gov/vuln/detail/CVE-2025-25193

Presently netty-nio-client is using net-handler:4.1.118, that has following vulnerability :
An unsafe reading of environment file could potentially cause a denial of service in Netty.

Short dependency chart:
[INFO] | +- software.amazon.awssdk:netty-nio-client:jar:2.31.77compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.118.Final:compile

Details are available at GHSA-389x-839f-4rhx

Impact
Impact is the same as GHSA-xq3w-v528-46rv

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

There should be no Critical, high or medium level vulnerability reported.

Current Behavior

It has a following medium vulnerability: CVE-2025-25193

Reproduction Steps

software.amazon.awssdk netty-nio-client 2.31.77

Possible Solution

Upgrade the dependent io.netty/netty-handler:4.1.118.Final to version 4.1.122.Final or above.

Additional Information/Context

No response

AWS Java SDK version used

software.amazon.awssdk:aws-core:jar:2.31.77

JDK version used

OpenJDK 64-Bit Server VM (Red_Hat-21.0.4.0+7-1) (build 21.0.4+7-LTS, mixed mode, sharing)

Operating System and version

Windows 11 Entreprise 23H2 22631.5624

[debora-ito]

@cedthivierge

The Github Advisory database says 4.1.118.Final is the patched version, and the netty/netty commit with the fix referenced was released in netty 4.1.118.Final.

The latest Java SDK version is already on netty 4.1.118.Final:

aws-sdk-java-v2/pom.xml

Line 118 in 273187a

<netty.version>4.1.118.Final</netty.version>

The vulnerability report may be a false positive then. Where are you getting the vulnerability report from?

[cedthivierge]

This link says that versions are affected including 4.1.118.Final. https://nvd.nist.gov/vuln/detail/CVE-2025-25193 Le mer. 9 juill. 2025, 18 h 23, Debora N. Ito ***@***.***> a écrit :

…

*debora-ito* left a comment (aws/aws-sdk-java-v2#6247) <#6247 (comment)> @cedthivierge <https://github.com/cedthivierge> The Github Advisory database <https://github.com/advisories/GHSA-389x-839f-4rhx> says 4.1.118.Final is the patched version, and the netty/netty commit <netty/netty@d1fbda6> with the fix referenced was released in netty 4.1.118.Final. The latest Java SDK version is already on netty 4.1.118.Final: https://github.com/aws/aws-sdk-java-v2/blob/273187acc23e5c10374a49092a6bea5ec9cb1c3d/pom.xml#L118 The vulnerability report may be a false positive then. Where are you getting the vulnerability report from? — Reply to this email directly, view it on GitHub <#6247 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOG4X23HLXGBBXY3HULGK2T3HWI4LAVCNFSM6AAAAACBFHLYZWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANJUGI3TEOBTGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>