CVE-2025-58057: Medium-Severity Vulnerability Detected in Netty HTTP/2 Libraries

A newly disclosed vulnerability, CVE-2025-58057, has been flagged with a medium severity rating, impacting multiple core libraries within the widely used Netty framework. The flaw specifically affects the `netty-codec-http2`, `netty-codec`, and `netty-codec-http` libraries in version 4.1.38.Final. Netty is a foundational, asynchronous event-driven network framework critical for building high-performance protocol servers and clients across countless Java applications, making this vulnerability a significant point of scrutiny for development and security teams.

The vulnerability's presence was detected in a dependency chain originating from `fabric-chaincode-shim-1.4.8.jar`, a library used in Hyperledger Fabric chaincode development. The scanner identified the vulnerable Netty JAR files within a standard Gradle cache path (`/home/wss-scanner/.gradle/caches/...`), indicating this is not an isolated deployment issue but a direct dependency. The affected libraries are central to handling HTTP/2, HTTP, and general encoding/decoding operations, which are essential for network communication in modern microservices and distributed systems.

While the exact exploit vector and potential impact of CVE-2025-58057 are not detailed in this initial report, its medium severity rating suggests a risk that could lead to denial-of-service, information disclosure, or other integrity issues within applications relying on these Netty components. Organizations using Hyperledger Fabric or any Java-based service with a dependency on Netty 4.1.38.Final are now under pressure to audit their build pipelines, review the dependency hierarchy, and apply the forthcoming official patch from the Netty project to mitigate potential security exposure.