Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

Netty’s BrotliDecoder is vulnerable to a denial of service (DoS) through highly compressed data (zip bomb–style) leading to data amplification. This affects multiple components (netty-codec, netty-codec-http, and netty-codec-http2).

A flaw in the handling of Brotli-compressed data may allow an attacker to trigger excessive memory or CPU consumption when decompressing malicious payloads. This can result in application-level denial of service. Both Trivy and Snyk flagged this issue across different Netty codecs, but they all map to the same CVE.

Version

26.3.3

Regression

• The issue is a regression

Expected behavior

No CVEs reported.

Actual behavior

CVE reported.

How to Reproduce?

Check scanner alerts.

Anything else?

References:

• NVD – CVE-2025-58057

• Netty Security Advisory – GHSA-3p8m-j85q-pgmj

• Snyk Advisory