Security vuln in aws sdk, via third-party (netty-nio-client) CVE-2025-24970

[singhRBGL]

Describe the bug

Please See : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24970

Presently netty-nio-client is using net-handler:4.1.116, that has following vulnerability
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Short dependency chart:
[INFO] | +- software.amazon.awssdk:netty-nio-client:jar:2.30.26:compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.116.Final:compile

Details are available at GHSA-4g8c-wm8x-jfhw

Impact
When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

There should be no Critical or high level vulnerability reported.

Current Behavior

It has a following high vulnerability:

CVE-2025-24970 : SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine

Reproduction Steps

    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>netty-nio-client</artifactId>
        <version>2.30.27</version>
    </dependency>

Possible Solution

Upgrade the dependent io.netty/netty-handler:4.1.116.Final to version 4.1.118.Final or above.

Additional Information/Context

No response

AWS Java SDK version used

software.amazon.awssdk:aws-core:jar:2.30.26

JDK version used

openjdk version "21.0.6" 2025-01-21 OpenJDK Runtime Environment Homebrew (build 21.0.6) OpenJDK 64-Bit Server VM Homebrew (build 21.0.6, mixed mode, sharing)

Operating System and version

ProductName: macOS ProductVersion: 15.2 BuildVersion: 24C101

[debora-ito]

Hi @singhRBGL the latest version of the SDK is using netty 4.1.118 already, released in SDK version 2.30.17:

aws-sdk-java-v2/pom.xml

Line 116 in 0fac917

<netty.version>4.1.118.Final</netty.version>

I see you are using version 2.30.26, which should be using netty 4.1.118, so I think maven is resolving to an older version of netty in your project. Try using the verbose option to figure out which dependency is pulling the older netty:

$ mvn dependency:tree -Dverbose

[singhRBGL]

Following is output for mvn dependency:tree -Dverbose=true when using version 2.30.27

[INFO] +- software.amazon.awssdk:netty-nio-client:jar:2.30.27:compile
[INFO] | +- io.netty:netty-codec-http:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-codec-http2:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-codec:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-transport:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-common:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-buffer:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)
[INFO] | +- io.netty:netty-handler:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)

[debora-ito]

[INFO] | +- io.netty:netty-handler:jar:4.1.116.Final:compile (version managed from 4.1.118.Final)

Yes, this indicates some configuration in your pom is making maven resolve to netty 4.1.116.

After a quick web search I found this page that explains how to resolve version collisions, see section 4. Using the dependencyManagement Section.

[debora-ito]

I'll go ahead and close this, it's not an issue with the SDK.

The latest SDK version uses netty 4.1.118.Final

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.