Skip to content

azure-core-http-netty 1.16.3 bundles Netty 4.1.130.Final, vulnerable to CVE-2026-33870 and CVE-2026-33871 #48631

Open
Open
azure-core-http-netty 1.16.3 bundles Netty 4.1.130.Final, vulnerable to CVE-2026-33870 and CVE-2026-33871#48631
Assignees
alzimmermsft
Labels
Azure.Coreazure-coreHttpClientcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@RobinBruegger

Description

@RobinBruegger
RobinBruegger
opened on Mar 30, 2026

azure-core-http-netty 1.16.3 (the current stable release) transitively pulls in io.netty:netty-codec-http and io.netty:netty-codec-http2 at version 4.1.130.Final, which is vulnerable to two recently published CVEs:

Both were fixed in Netty 4.1.132.Final, released 2026-03-24.

Metadata

Metadata

Assignees

Labels

Azure.Coreazure-coreHttpClientcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Java SDKs Azure Core

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions