We are happy to announce the release of netty 4.1.124.Final. This is a bug-fix release which also contains a fix for a CVE-2025-55163.

The most important changes are:

• MadeYouReset HTTP/2 DDoS vulnerability (CVE-2025-55163)
• Fix NPE and AssertionErrors when many tasks are scheduled and cancelled (#15499)
• HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder (#15518)
• Epoll: Correctly handle UDP packets with source port of 0 (#15537)
• Fix netty-common OSGi Import-Package header (#15546)
• MqttConnectPayload.toString() includes password (#15554)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @bryce-anderson
• @chrisvest
• @d-william
• @franz1981
• @galbarnahum
• @jbertram
• @normanmaurer
• @rovarga
• @vietj
• @violetagg
• @yawkat