CVE-2025-24970 Apache Netty < 4.1.118.Final

Hi,

Are there any updates or mitigations available for https://nvd.nist.gov/vuln/detail/CVE-2025-24970

This is a recent high severity vulnerability in Apache Netty versions 4.1.91.Final through to 4.1.117.Final. If successfully exploited this could lead to Denial of Service (DoS). I understand 4.1.118.Final is available which addresses the issue.

Looking at current opensearch release 2.19.0 ( in unpacked tarball) can see affected libs in several places (here searching for just the handler):

[root@test opensearch-2.19.0]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.115.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.117.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-security/netty-handler-4.1.117.Final.jar

Thank you.

Hi @NeilBillett ,

Please create the issues in the GitHub. I would make an issue for each plugin in the OpenSearch GitHub. I have added the list of plugin projects below:

1 Like

Done:

(sorry forum won’t let me post more than 2 links)

Thank you.

2 Likes

Thanks for keeping your eyes open for us, @NeilBillett !

No problem - thank you.

For anyone following this thread I’m being told that the imminent release of Opensearch 2.19.1 addresses this issue by upgrade to Netty 4.1.118.Final.

…and can subsequently confirm that 2.19.1 is out and does does the trick:

[root@test tmp]# wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.19.1/opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# tar -xvzf opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# cd opensearch-2.19.1
[root@test opensearch-2.19.1]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-security/netty-handler-4.1.118.Final.jar

Thanks for the very quick turnaround!

1 Like

thank you for confirming @NeilBillett!