We are happy to announce the release of netty 4.2.5.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056.

The most important changes are:

• Decompression codecs vulnerable to DoS via zip bomb style attack (CVE-2025-58057)
• Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)
• Only register chunk sizes in adaptive allocator (#15575)
• Always load BouncyCastle classes with the Netty classloader (#15569)
• Update to quiche 0.24.5 (#15556)
• Clean up netty-buffer Import-Package (#15562)
• Don't try to handle incomplete upgrade request (#15581)
• SubmissionQueue::toString should iterate from the head (#15586)
• Implement automatic scaling for EventLoopGroup threads (#15524)
• Drop unknown frame on missing stream (#15592)
• IoUring: Reduce redundant system calls (#15591)
• IoUring: Always correctly handle result for zero copy (#15600)
• Fix IllegalReferenceCountException on invalid upgrade response (#15602)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission * @brucelwl * @bryce-anderson * @chrisvest * @doom369 * @dreamlike-ocean * @franz1981 * @georgebanasios * @He-Pin * @isaacrivriv * @linking12 * @m1ngyuan * @normanmaurer * @rovarga * @scotthraban * @vietj * @violetagg * @yawkat