We are happy to announce the release of netty 4.1.126.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056.

The most important changes are:

• Decompression codecs vulnerable to DoS via zip bomb style attack (CVE-2025-58057)
• Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)
• Fix IllegalReferenceCountException on invalid upgrade response (#15606)
• Drop unknown frame on missing stream (#15595)
• Don't try to handle incomplete upgrade request (#15585)
• Make org.graalvm.nativeimage:svm optional in netty-common (#15558)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @bryce-anderson
• @chrisvest
• @franz1981
• @gemmellr
• @isaacrivriv
• @JLLeitschuh
• @normanmaurer
• @rovarga
• @vietj
• @yawkat