Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(deps): upgrade io.netty:netty-bom to 4.2.13.Final (COMP-1718)#1053

Merged
cristianrcv merged 2 commits into
masterfrom
fix/COMP-1718-netty-decompression-bomb-dos
Jun 8, 2026
Merged

fix(deps): upgrade io.netty:netty-bom to 4.2.13.Final (COMP-1718)#1053
cristianrcv merged 2 commits into
masterfrom
fix/COMP-1718-netty-decompression-bomb-dos

Conversation

@cristianrcv

@cristianrcv cristianrcv commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Upgrades io.netty:netty-bom from 4.2.5.Final to 4.2.13.Final
  • Resolves CVE-2026-42587 / GHSA-f6hv-jmp6-3vwv
  • Also corrects BOM declaration from runtimeOnly to implementation platform() so Gradle properly enforces version constraints across all Netty transitive dependencies including netty-codec-http2

JIRA

COMP-1718: Fix Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Security Advisory

https://github.com/seqeralabs/wave/security/dependabot/50

🤖 Generated with Claude Code

@cristianrcv @claude
fix(deps): upgrade io.netty:netty-bom to 4.2.13.Final (COMP-1677)
dca508d 
Addresses CVE-2026-33871 / GHSA-w9fj-cfpg-grvv
See: https://github.com/seqeralabs/wave/security/dependabot/38

Also corrects BOM declaration from runtimeOnly to implementation platform()
so Gradle properly enforces version constraints across all Netty transitive
dependencies including netty-codec-http2.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@cristianrcv

cristianrcv commented May 26, 2026

Copy link
Copy Markdown
Contributor Author

@pditommaso Claude considers that the memory leak is solved in Netty 4.2.13.Final but I cannot find any relevant issue solved in the release notes. Do you know if we should still hold this upgrade?

@cristianrcv cristianrcv mentioned this pull request May 26, 2026
Closed
@pditommaso

pditommaso commented May 26, 2026

Copy link
Copy Markdown
Collaborator

Let's give it a try. Not this is already included in latest MN 4.9.x version

pditommaso
pditommaso reviewed May 26, 2026
View reviewed changes
Comment thread build.gradle Outdated
@cristianrcv cristianrcv force-pushed the fix/COMP-1718-netty-decompression-bomb-dos branch from d966d4c to 95720e5 Compare May 26, 2026 14:20
@cristianrcv

cristianrcv commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Merging this and monitoring in DEV: https://seqera.grafana.net/d/cd8b8d3a401546/wave-dashboard-v2?orgId=1&from=now-2h&to=now&timezone=browser&var-datasource=grafanacloud-prom&var-namespace=wave-dev&var-app=wave-app&var-pods=$__all&var-jvm_memory_pool_heap=$__all&refresh=30s

@cristianrcv cristianrcv merged commit 1b4ecad into master Jun 8, 2026
4 checks passed
@cristianrcv cristianrcv deleted the fix/COMP-1718-netty-decompression-bomb-dos branch June 8, 2026 09:31
@pditommaso

pditommaso commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

We could try to bump also MN 4.10.x with wave and see what happens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pditommaso pditommaso pditommaso approved these changes

@munishchouhan munishchouhan Awaiting requested review from munishchouhan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cristianrcv @pditommaso