Skip navigation

Netty 4.1.126.Final released

We are happy to announce the release of netty 4.1.126.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056.

The most important changes are:

  • Decompression codecs vulnerable to DoS via zip bomb style attack (CVE-2025-58057)
  • Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)
  • Fix IllegalReferenceCountException on invalid upgrade response (#15606)
  • Drop unknown frame on missing stream (#15595)
  • Don't try to handle incomplete upgrade request (#15585)
  • Make org.graalvm.nativeimage:svm optional in netty-common (#15558)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.