Update Netty to 4.2.14.Final to address multiple CVEs#19551
Closed
ashwintumma23 wants to merge 1 commit into
Closed
Update Netty to 4.2.14.Final to address multiple CVEs#19551ashwintumma23 wants to merge 1 commit into
ashwintumma23 wants to merge 1 commit into
Conversation
This update addresses 17 critical and high severity CVEs in Netty: - CVE-2026-42583: Lz4FrameDecoder resource exhaustion (HIGH) - CVE-2026-42579: HTTP response desynchronization (HIGH) - CVE-2026-42585: MQTT resource exhaustion (MODERATE) - CVE-2026-33870: HTTP request smuggling via quoted strings (HIGH) - CVE-2025-67735: DNS codec validation bypass (HIGH) - CVE-2026-42587: HTTP/3 QPACK unbounded allocation (HIGH) - CVE-2026-41417: Epoll transport DoS via RST (HIGH) - CVE-2026-42584: HTTP request smuggling via Transfer-Encoding (MODERATE) - CVE-2026-42581: HTTP request smuggling via chunk size parsing (MODERATE) - CVE-2026-42580: Redis codec CRLF injection (MODERATE) - CVE-2026-33871: HTTP header injection via HttpProxyHandler (LOW) - CVE-2026-42582: Additional HTTP codec vulnerabilities - CVE-2026-44248: MQTT 5 decoder resource exhaustion (HIGH) - CVE-2026-42586: Additional resource consumption issues - CVE-2025-59419: Security improvements - CVE-2026-42578: Additional security fixes - CVE-2026-42577: Additional security fixes Updated netty4.version from 4.2.12.Final to 4.2.14.Final. All CVEs are fixed in version 4.2.13.Final and later.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates Netty from version 4.2.12.Final to 4.2.14.Final to address 17 critical and high severity CVEs.
CVEs Addressed
High Severity:
Moderate Severity:
Low Severity:
Additional Fixes:
Changes
Verification
All CVEs listed are fixed in Netty version 4.2.13.Final and later. Version 4.2.14.Final is the latest stable release as of May 2026.
References