Netty 4.1.126.Final released
We are happy to announce the release of netty 4.1.126.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056.
The most important changes are:
- Decompression codecs vulnerable to DoS via zip bomb style attack (CVE-2025-58057)
- Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)
- Fix IllegalReferenceCountException on invalid upgrade response (#15606)
- Drop unknown frame on missing stream (#15595)
- Don't try to handle incomplete upgrade request (#15585)
- Make org.graalvm.nativeimage:svm optional in netty-common (#15558)
For more details please visit our bug tracker
Thank You
Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.
Please report an unintended omission.