Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3601

CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability [GHI#42491]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      No response

      Describe the bug

      Netty’s BrotliDecoder is vulnerable to a denial of service (DoS) through highly compressed data (zip bomb–style) leading to data amplification. This affects multiple components (netty-codec, netty-codec-http, and netty-codec-http2).

      A flaw in the handling of Brotli-compressed data may allow an attacker to trigger excessive memory or CPU consumption when decompressing malicious payloads. This can result in application-level denial of service. Both Trivy and Snyk flagged this issue across different Netty codecs, but they all map to the same CVE.

      Version

      26.3.3

      Regression

      [ ] The issue is a regression

      Expected behavior

      No CVEs reported.

      Actual behavior

      CVE reported.

      How to Reproduce?

      Check scanner alerts.

      Anything else?

      References:

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Cloud Native
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: