Impacted Versions
- Confluent Platform versions <= CP 7.3.13, <= 7.4.10, <= 7.5.9, <= 7.6.6,<= 7.7.4, <= 7.8.3, <= 7.9.2, =8.0.0
- Confluent Cloud managed clusters
Recommended Action
- Confluent Platform: Please upgrade to CP versions: 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1
- Confluent Cloud: Managed Confluent Cloud clusters were identified to be vulnerable to this issue. However, all managed clusters have been upgraded. Please note that no security impact was observed for the impacted clusters. No further action is necessary at this time.
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to the reliance on vulnerable dependency Netty-codec version 4.1.118 that is affected by CVE-2025-58057.
This vulnerability is due to the way decompression codec handles compressed data. A malicious client can abuse the decompression codec and create a malicious crafted input that will cause the decompression codec to allocate large amounts of memory creating resource exhaustion on the server handling the request.
Remediation
- Confluent Cloud: This issue has already been resolved in Confluent Cloud and no further action is necessary.
- Confluent Platform: This issue is resolved in the CP patch release versions 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1. These fixes adequately address this issue by updating the vulnerable library Netty-codec to version 4.1.125.Final that effectively mitigates this vulnerability.
OriginalCVSS Score:
7.5
Adjusted CVSS Score:
6.5