Is io.netty:netty-codec-compression affected by CVE-2025-58057?

Maven io.netty:netty-codec-compression is affected in >=4.2.0.Alpha1 <4.2.5.Final.

Is CVE-2025-58057 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

medium

CVE-2025-58057

Q: Is CVE-2025-58057 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

Maven · io.netty:netty-codec-compression • Maven · io.netty:netty-codec

Summary

Netty's decoders vulnerable to DoS via zip bomb style attack

Severity: medium
EPSS: 0.6% (p42)
Also known as: GHSA-3p8m-j85q-pgmj#io.netty:netty-codec, GHSA-3p8m-j85q-pgmj#io.netty:netty-codec-compression
Published: 2025-09-03

References

https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
https://nvd.nist.gov/vuln/detail/CVE-2025-58057
https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d

Related advisories

CVE-2026-42583 — high · Maven/io.netty:netty-codec-compression

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.