We are happy to announce the release of netty 4.1.129.Final. This is a bug-fix release but also contains CVE-2025-67735.

The most important changes are:

• RLF injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder (CVE-2025-67735)
• Update lz4-java version to 1.10.1 (#15981)
• Close Channel and fail bootstrap when setting a ChannelOption causes an error (#15970)
• Discard the following HttpContent for preflight request (#15962)
• Fix race condition in NonStickyEventExecutorGroup causing incorrect inEventLoop() results (#15927)
• Fix Zstd compression for large data (#15900)
• Fix ZstdEncoder not producing data when source is smaller than block (#15894)
• Make big endian ASCII hashcode consistent with little endian (#15846)
• Fix reentrancy bug in ByteToMessageDecoder (#15834)
• Add 32k and 64k size classes to adaptive allocator (#15800)
• Re-enable reflective field accesses in native images (#15774)
• Correct HTTP/2 padding length check (#15795)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @franz1981
• @danfaer
• @He-Pin
• @idelpivnitskiy
• @leonard84
• @normanmaurer
• @qnnn
• @rovarga
• @sephiroth-j
• @skyguard1
• @violetagg
• @yawkat
• @zakkak