CVE-2025-24970 Apache Netty < 4.1.118.Final

Hi,

Are there any updates or mitigations available for https://nvd.nist.gov/vuln/detail/CVE-2025-24970

This is a recent high severity vulnerability in Apache Netty versions 4.1.91.Final through to 4.1.117.Final. If successfully exploited this could lead to Denial of Service (DoS). I understand 4.1.118.Final is available which addresses the issue.

Looking at current opensearch release 2.19.0 ( in unpacked tarball) can see affected libs in several places (here searching for just the handler):

[root@test opensearch-2.19.0]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.115.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.117.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-security/netty-handler-4.1.117.Final.jar

Thank you.

1 Like

Hi @NeilBillett ,

Please create the issues in the GitHub. I would make an issue for each plugin in the OpenSearch GitHub. I have added the list of plugin projects below:

1 Like

Done:

(sorry forum won’t let me post more than 2 links)

Thank you.

3 Likes

Thanks for keeping your eyes open for us, @NeilBillett !

No problem - thank you.

For anyone following this thread I’m being told that the imminent release of Opensearch 2.19.1 addresses this issue by upgrade to Netty 4.1.118.Final.

1 Like

…and can subsequently confirm that 2.19.1 is out and does does the trick:

[root@test tmp]# wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.19.1/opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# tar -xvzf opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# cd opensearch-2.19.1
[root@test opensearch-2.19.1]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-security/netty-handler-4.1.118.Final.jar

Thanks for the very quick turnaround!

2 Likes

thank you for confirming @NeilBillett!