vulnerability

IBM WebSphere Application Server: CVE-2025-25193: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2025-25193)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Feb 10, 2025	Apr 23, 2025	Mar 27, 2026

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Feb 10, 2025

Added

Apr 23, 2025

Modified

Mar 27, 2026

Description

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Solution

ibm-was-upgrade-8-5-25-0-0-4-liberty

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report