Improper Handling of Highly Compressed Data (Data Amplification) Affecting wildfly package, versions <37.0.1-r0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-WILDFLY-12515628
- published5 Sept 2025
- disclosed4 Sept 2025
Introduced: 4 Sep 2025
NewCVE-2025-58057 (opens in a new tab)How to fix?
Upgrade Chainguard wildfly to version 37.0.1-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream wildfly package and not the wildfly package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.