We are happy to announce the release of netty 4.2.4.Final. This is a bug-fix release which also contains a fix for a CVE-2025-55163.

The most important changes are:

• MadeYouReset HTTP/2 DDoS vulnerability (CVE-2025-55163)
• Add support for SOCKS5 private authentication methods (RFC#1928) (#15470)
• IoUring: Add support for IORING_OP_SEND_ZC (#15491)
• JFR profile and JFR reader for the allocation simulator (#15497)
• Add namespace to our JFR events (#15500)
• Fix NPE and AssertionErrors when many tasks are scheduled and cancelled (#15501)
• IoUring: Detect completion queue overflow (#15505)
• Fix JFR event names in the flight recorder profile (#15506)
• Add close-tracking to our leak detector (#15512)
• ByteBufOutputStream.writeBytes should only write lower-order bytes (#15514)
• HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder (#15516)
• Add CompositeByteBuf.componentSlice() to return correctly indexed view (#15519)
• Use optional dependency for svm (#15521)
• Epoll: Correctly handle UDP packets with source port of 0. (#15528)
• FastThreadLocal: Optimize fallback check for virtual threads to O(1) (#15532)
• Fix netty-common OSGi Import-Package header (#15540)
• IoUring: Correctly handle channel.config().setAutoRead(false) (#15541)
• IoUring: Submit and process completions in a loop to ensure timely processing. (#15544)
• MqttConnectPayload.toString() includes password (#15548)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission * @bryce-anderson * @chrisvest * @d-william * @dreamlike-ocean * @franz1981 * @galbarnahum * @georgebanasios * @He-Pin * @jbertram * @laosijikaichele * @linking12 * @normanmaurer * @rovarga * @sergiitk * @sunil-solace * @vietj * @violetagg * @yawkat