We are happy to announce the release of netty 4.1.128.Final. This is a bug-fix release but also contains CVE-2025-59419 which might affect you if you make use of our SMTP implementation.

The most important changes are:

• SMTP Command Injection Vulnerability Allowing Email Forgery (CVE-2025-59419)
• Drop unknown frame on missing stream in first packet (#15647)
• Precompute segments offsets and use them as segment's identity (#15656)
• Empty chunks cannot be used while allocating from the shared queue (#15659)
• Only register chunk sizes in adaptive allocator (#15663)
• Fix concurrent chunk data write bug in adaptive allocator (#15664)
• Update jni-util version to clarify licensing (#15689)
• Fix Snappy compression bug (#15715)
• Fix aligned off-heap zeroing (#15744)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @franz1981
• @idelpivnitskiy
• @normanmaurer
• @yawkat