Vulnerabiltiy CVE-2025-24970 in Netty library

[nr-ashishkumar]

Describe the bug

software.amazon.awssdk:netty-nio-client:latest library includes 4.1.118.Final version of transitive Netty dependencies.
4.1.118.Final version has vulnerability CVE-2025-24970 and its fix is available in the newer version of transitive dependencies 4.1.119.Final but its not yet adapted by software.amazon.awssdk:netty-nio-client:latest library pom.xml

Vulnerability fixing PR (Merged on 14-Feb-25): Replace SSL assertion with explicit record length check (#14810) by chrisvest · Pull Request #14822 · netty/netty

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

No change in the behavior. CVE-2025-24970 vulnerability must be fixed.

Current Behavior

NA

Reproduction Steps

NA

Possible Solution

#6097

Additional Information/Context

No response

AWS Java SDK version used

2.30.23

JDK version used

11

Operating System and version

linux arm64 22.04

[bhoradc]

Hello @nr-ashishkumar,

Thank you for reporting the issue.

According to the Netty 4.1.118.Final released notes, the patch for the critical CVE-2025-24970 was released in 4.1.118.Final version.

AWS SDK for Java v2.30.17 and onwards uses netty 4.1.118.Final.

Regards,
Chaitanya

[nr-ashishkumar]

Thank you @bhoradc

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.