Skip to content

firebase-admin-9.4.2.jar: 9 vulnerabilities (highest severity is: 7.5) #17

New issue
New issue
Open
Open
firebase-admin-9.4.2.jar: 9 vulnerabilities (highest severity is: 7.5)#17
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 11, 2025
Vulnerable Library - firebase-admin-9.4.2.jar

Path to dependency file: /firebase/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5/5.4.1/ce913081e592ee8eeee35c4e577d7dce13cba7a4/httpclient5-5.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5/5.4.1/ce913081e592ee8eeee35c4e577d7dce13cba7a4/httpclient5-5.4.1.jar

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (firebase-admin version) Remediation Possible**
WS-2026-0003 High 7.5 jackson-core-2.18.2.jar Transitive N/A*
CVE-2026-33870 High 7.5 netty-codec-http-4.1.116.Final.jar Transitive N/A*
CVE-2025-55163 High 7.5 grpc-netty-shaded-1.67.1.jar Transitive N/A*
CVE-2025-27820 High 7.5 httpclient5-5.4.1.jar Transitive 9.4.3
CVE-2025-24970 High 7.5 netty-handler-4.1.116.Final.jar Transitive 9.5.0
CVE-2025-67735 Medium 6.5 netty-codec-http-4.1.116.Final.jar Transitive N/A*
CVE-2025-25193 Medium 5.5 netty-common-4.1.116.Final.jar Transitive 9.5.0
CVE-2025-58057 Medium 5.3 detected in multiple dependencies Transitive 9.5.0
CVE-2025-58056 Medium 5.3 netty-codec-http-4.1.116.Final.jar Transitive 9.5.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2026-0003

Vulnerable Library - jackson-core-2.18.2.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /common/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.2/fb64ccac5c27dca8819418eb4e443a9f496d9ee7/jackson-core-2.18.2.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.2/fb64ccac5c27dca8819418eb4e443a9f496d9ee7/jackson-core-2.18.2.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.2/fb64ccac5c27dca8819418eb4e443a9f496d9ee7/jackson-core-2.18.2.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.2/fb64ccac5c27dca8819418eb4e443a9f496d9ee7/jackson-core-2.18.2.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • google-cloud-storage-2.44.1.jar
      • jackson-core-2.18.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

Publish Date: 2026-03-02

URL: WS-2026-0003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-72hv-8253-57qq

Release Date: 2026-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.18.6,https://github.com/FasterXML/jackson-core.git - jackson-core-2.21.1,https://github.com/FasterXML/jackson-core.git - jackson-core-2.18.6,tools.jackson.core:jackson-core:3.1.0,https://github.com/FasterXML/jackson-core.git - jackson-core-3.1.0

Step up your Open Source Security Game with Mend here

CVE-2026-33870

Vulnerable Library - netty-codec-http-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-codec-http-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Summary Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered during research into the "Funky Chunks" HTTP request smuggling techniques: - "https://w4ke.info/2025/06/18/funky-chunks.html" (https://w4ke.info/2025/06/18/funky-chunks.html) - "https://w4ke.info/2025/10/29/funky-chunks-2.html" (https://w4ke.info/2025/10/29/funky-chunks-2.html) The original research tested various chunk extension parsing differentials but did not cover quoted-string handling within extension values. Technical Details RFC 9110 Section 7.1.1 defines chunked transfer encoding: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) chunk-ext-val = token / quoted-string RFC 9110 Section 5.6.4 defines quoted-string: quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE Critically, the allowed character ranges within a quoted-string are: qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text quoted-pair = "" ( HTAB / SP / VCHAR / obs-text ) CR ("%x0D") and LF ("%x0A") bytes fall outside all of these ranges and are therefore not permitted inside chunk extensions—whether quoted or unquoted. A strictly compliant parser should reject any request containing CR or LF bytes before the actual line terminator within a chunk extension with a "400 Bad Request" response (as Squid does, for example). Vulnerability Netty terminates chunk header parsing at "\r\n" inside quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers, which can be exploited for request smuggling. Expected behavior (RFC-compliant): A request containing CR/LF bytes within a chunk extension value should be rejected outright as invalid. Actual behavior (Netty): Chunk: 1;a="value ^^^^^ parsing terminates here at \r\n (INCORRECT) Body: here"... is treated as body or the beginning of a subsequent request The root cause is that Netty does not validate that CR/LF bytes are forbidden inside chunk extensions before the terminating CRLF. Rather than attempting to parse through quoted strings, the appropriate fix is to reject such requests entirely. Proof of Concept #!/usr/bin/env python3 import socket payload = ( b"POST / HTTP/1.1\r\n" b"Host: localhost\r\n" b"Transfer-Encoding: chunked\r\n" b"\r\n" b'1;a="\r\n' b"X\r\n" b"0\r\n" b"\r\n" b"GET /smuggled HTTP/1.1\r\n" b"Host: localhost\r\n" b"Content-Length: 11\r\n" b"\r\n" b'"\r\n' b"Y\r\n" b"0\r\n" b"\r\n" ) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(3) sock.connect(("127.0.0.1", 8080)) sock.sendall(payload) response = b"" while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk except socket.timeout: break sock.close() print(f"Responses: {response.count(b'HTTP/')}") print(response.decode(errors="replace")) Result: The server returns two HTTP responses from a single TCP connection, confirming request smuggling. Parsing Breakdown | Parser | Request 1 | Request 2 | |-----------------------|-------------------|------------------------------------| | Netty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED) | | RFC-compliant parser | 400 Bad Request | (none — malformed request rejected)| Impact - Request Smuggling: An attacker can inject arbitrary HTTP requests into a connection. - Cache Poisoning: Smuggled responses may poison shared caches. - Access Control Bypass: Smuggled requests can circumvent frontend security controls. - Session Hijacking: Smuggled requests may intercept responses intended for other users. Reproduction 1. Start the minimal proof-of-concept environment using the provided Docker configuration. 2. Execute the proof-of-concept script included in the attached archive. Suggested Fix The parser should reject requests containing CR or LF bytes within chunk extensions rather than attempting to interpret them: 3. Read chunk-size. 4. If ';' is encountered, begin parsing extensions: a. For each byte before the terminating CRLF: - If CR (%x0D) or LF (%x0A) is encountered outside the final terminating CRLF, reject the request with 400 Bad Request. b. If the extension value begins with DQUOTE, validate that all enclosed bytes conform to the qdtext / quoted-pair grammar. 5. Only treat CRLF as the chunk header terminator when it appears outside any quoted-string context and contains no preceding illegal bytes. Acknowledgments Credit to Ben Kallus for clarifying the RFC interpretation during discussion on the HAProxy mailing list. Resources - "RFC 9110: HTTP Semantics (Sections 5.6.4, 7.1.1)" (https://www.rfc-editor.org/rfc/rfc9110) - "Funky Chunks Research" (https://w4ke.info/2025/06/18/funky-chunks.html) - "Funky Chunks 2 Research" (https://w4ke.info/2025/10/29/funky-chunks-2.html) Attachments "Vulnerability Diagram" (https://github.com/user-attachments/assets/2faaa23e-693b-4efc-afb7-aae1d4101e7e) "java_netty.zip" (https://github.com/user-attachments/files/24697955/java_netty.zip)

Publish Date: 2026-03-26

URL: CVE-2026-33870

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pwqr-wmgm-9rr8

Release Date: 2026-03-26

Fix Resolution: io.netty:netty-codec-http:4.1.132.Final,io.netty:netty-codec-http:4.2.10.Final

Step up your Open Source Security Game with Mend here

CVE-2025-55163

Vulnerable Library - grpc-netty-shaded-1.67.1.jar

gRPC: Netty Shaded

Library home page: https://github.com/grpc/grpc-java

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-netty-shaded/1.67.1/8cc4f36b2a9799126651db9eb8d89183b720ec36/grpc-netty-shaded-1.67.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-netty-shaded/1.67.1/8cc4f36b2a9799126651db9eb8d89183b720ec36/grpc-netty-shaded-1.67.1.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • google-cloud-storage-2.44.1.jar
      • grpc-netty-shaded-1.67.1.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Publish Date: 2025-08-13

URL: CVE-2025-55163

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-13

Fix Resolution: https://github.com/netty/netty.git - 4.2.4.Final,https://github.com/netty/netty.git - netty-4.1.124.Final,io.netty:netty-codec-http2:4.1.124.Final,io.netty:netty-codec-http2:4.2.4.Final

Step up your Open Source Security Game with Mend here

CVE-2025-27820

Vulnerable Library - httpclient5-5.4.1.jar

Apache HttpComponents Client

Library home page: https://hc.apache.org/httpcomponents-client-5.4.x/5.4.1/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5/5.4.1/ce913081e592ee8eeee35c4e577d7dce13cba7a4/httpclient5-5.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5/5.4.1/ce913081e592ee8eeee35c4e577d7dce13cba7a4/httpclient5-5.4.1.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • httpclient5-5.4.1.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

Publish Date: 2025-04-24

URL: CVE-2025-27820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-04-24

Fix Resolution (org.apache.httpcomponents.client5:httpclient5): 5.4.3

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.4.3

Step up your Open Source Security Game with Mend here

CVE-2025-24970

Vulnerable Library - netty-handler-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-handler-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Publish Date: 2025-02-10

URL: CVE-2025-24970

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4g8c-wm8x-jfhw

Release Date: 2025-02-10

Fix Resolution (io.netty:netty-handler): 4.1.118.Final

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.5.0

Step up your Open Source Security Game with Mend here

CVE-2025-67735

Vulnerable Library - netty-codec-http-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-codec-http-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

Publish Date: 2025-12-16

URL: CVE-2025-67735

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-16

Fix Resolution: https://github.com/netty/netty.git - netty-4.2.8.Final,https://github.com/netty/netty.git - netty-4.1.129.Final

Step up your Open Source Security Game with Mend here

CVE-2025-25193

Vulnerable Library - netty-common-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /firebase/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-handler-4.1.116.Final.jar
      • netty-common-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Publish Date: 2025-02-10

URL: CVE-2025-25193

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-389x-839f-4rhx

Release Date: 2025-02-10

Fix Resolution (io.netty:netty-common): 4.1.118.Final

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.5.0

Step up your Open Source Security Game with Mend here

CVE-2025-58057

Vulnerable Libraries - netty-codec-4.1.116.Final.jar, netty-codec-http-4.1.116.Final.jar

netty-codec-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /apns/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.116.Final/cbe928f601e51a0b5750342b6dad5d35fa12f745/netty-codec-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.116.Final/cbe928f601e51a0b5750342b6dad5d35fa12f745/netty-codec-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.116.Final/cbe928f601e51a0b5750342b6dad5d35fa12f745/netty-codec-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-handler-4.1.116.Final.jar
      • netty-codec-4.1.116.Final.jar (Vulnerable Library)

netty-codec-http-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-codec-http-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-03

URL: CVE-2025-58057

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-03

Fix Resolution (io.netty:netty-codec): 4.1.125.Final

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.5.0

Fix Resolution (io.netty:netty-codec-http): 4.1.125.Final

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.5.0

Step up your Open Source Security Game with Mend here

CVE-2025-58056

Vulnerable Library - netty-codec-http-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.116.Final/75a0455171848a4188a9f77e9a1e76a036381260/netty-codec-http-4.1.116.Final.jar

Dependency Hierarchy:

  • firebase-admin-9.4.2.jar (Root Library)
    • netty-codec-http-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

Publish Date: 2025-09-03

URL: CVE-2025-58056

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-03

Fix Resolution (io.netty:netty-codec-http): 4.1.125.Final

Direct dependency fix Resolution (com.google.firebase:firebase-admin): 9.5.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions