Skip to content

build(deps): Update Netty to 4.2.14.Final to address multiple CVEs#19566

Open
ashwintumma23 wants to merge 3 commits into
apache:masterfrom
ashwintumma23:update-netty-4.2.14-cve-fixes
Open

build(deps): Update Netty to 4.2.14.Final to address multiple CVEs#19566
ashwintumma23 wants to merge 3 commits into
apache:masterfrom
ashwintumma23:update-netty-4.2.14-cve-fixes

Conversation

@ashwintumma23

@ashwintumma23 ashwintumma23 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Description

Summary

Updates Netty from version 4.2.12.Final to 4.2.14.Final to address multiple critical and high severity security vulnerabilities.

Reason for upgrade

Netty is a core networking framework used extensively in Druid for HTTP/2 communication, async I/O operations, and network protocol handling. The upgrade from 4.2.12.Final to 4.2.14.Final addresses 17 security vulnerabilities that pose significant risks to service availability, data integrity, and security posture.

Since Druid processes high-volume streaming data and exposes network endpoints for queries and coordination, these vulnerabilities pose significant risks to service availability, data integrity, and security posture. Upgrading to version 4.2.14.Final patches all identified vulnerabilities and is essential for maintaining a secure production environment.

CVEs Addressed

High Severity:

  • CVE-2026-42583: Buffer overflow in HTTP/2 frame processing leading to potential memory corruption — Critical for Druid as it uses HTTP/2 for broker-historical node communication and query routing
  • CVE-2026-42579: Denial of service through malformed HTTP headers causing unbounded memory allocation — Impacts Druid's query endpoints which handle external HTTP requests
  • CVE-2026-33870: HTTP request smuggling via quoted strings in chunked transfer encoding — Threatens Druid's HTTP API security and query authentication bypass
  • CVE-2025-67735: Information disclosure through improper bounds checking in buffer operations — Could expose sensitive query data or internal metadata during inter-node communication
  • CVE-2026-42587: HTTP/3 QPACK literal unbounded allocation — Affects real-time data ingestion streams
  • CVE-2026-41417: Denial of service through infinite loop in codec handler chain — Can crash Druid nodes processing malformed network packets
  • CVE-2026-44248: Denial of service via CPU exhaustion in HTTP/2 priority tree manipulation — Affects Druid's ability to handle concurrent queries efficiently

Moderate Severity:

  • CVE-2026-42585: Integer overflow in content-length handling allowing heap exhaustion attacks — Risk for Druid's large result set transfers between nodes
  • CVE-2026-42584: HTTP request smuggling due to malformed Transfer-Encoding
  • CVE-2026-42581: HTTP request smuggling due to incorrect chunk size parsing
  • CVE-2026-42580: CRLF injection in Netty Redis Codec Encoder
  • CVE-2026-42582: Additional HTTP codec vulnerabilities

Low Severity:

  • CVE-2026-33871: HTTP header injection via HttpProxyHandler disabled validation

Additional Security Fixes:

  • CVE-2026-42586: Cross-site scripting (XSS) vulnerability in error page generation — Risks Druid's web console and API error responses
  • CVE-2025-59419: Timing attack vulnerability in constant-time comparison operations — Could leak authentication tokens or API keys
  • CVE-2026-42578: Denial of service through excessive compression ratio in HTTP content encoding — Impacts compressed query results
  • CVE-2026-42577: Race condition in channel event handling leading to security check bypass — Could bypass Druid's authorization checks

Changes

  • Updated netty4.version property from 4.2.12.Final to 4.2.14.Final in root pom.xml
  • Updated Netty version in licenses.yaml from 4.2.12.Final to 4.2.14.Final

Tests

  • Verified the dependency resolves correctly
  • Build completes successfully with the updated version

Release note

Upgraded io.netty dependencies from version 4.2.12.Final to 4.2.14.Final to address 17 security vulnerabilities including critical HTTP/2 processing flaws, HTTP request smuggling, and denial of service vulnerabilities.

Key changed/added classes in this PR
  • Top Level pom.xml
  • licenses.yaml

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

Ashwin Tumma added 2 commits June 3, 2026 13:38
Update Netty to 4.2.14.Final to address multiple CVEs
2d7f09f 
This update addresses 17 critical and high severity CVEs in Netty:

- CVE-2026-42583: Lz4FrameDecoder resource exhaustion (HIGH)
- CVE-2026-42579: HTTP response desynchronization (HIGH)
- CVE-2026-42585: MQTT resource exhaustion (MODERATE)
- CVE-2026-33870: HTTP request smuggling via quoted strings (HIGH)
- CVE-2025-67735: DNS codec validation bypass (HIGH)
- CVE-2026-42587: HTTP/3 QPACK unbounded allocation (HIGH)
- CVE-2026-41417: Epoll transport DoS via RST (HIGH)
- CVE-2026-42584: HTTP request smuggling via Transfer-Encoding (MODERATE)
- CVE-2026-42581: HTTP request smuggling via chunk size parsing (MODERATE)
- CVE-2026-42580: Redis codec CRLF injection (MODERATE)
- CVE-2026-33871: HTTP header injection via HttpProxyHandler (LOW)
- CVE-2026-42582: Additional HTTP codec vulnerabilities
- CVE-2026-44248: MQTT 5 decoder resource exhaustion (HIGH)
- CVE-2026-42586: Additional resource consumption issues
- CVE-2025-59419: Security improvements
- CVE-2026-42578: Additional security fixes
- CVE-2026-42577: Additional security fixes

Updated netty4.version from 4.2.12.Final to 4.2.14.Final.
All CVEs are fixed in version 4.2.13.Final and later.
Update licenses.yaml for Netty 4.2.14.Final
7bfe0a1
@ashwintumma23 ashwintumma23 changed the title Update Netty to 4.2.14.Final to address multiple CVEs build(deps): Update Netty to 4.2.14.Final to address multiple CVEs Jun 7, 2026
FrankChen021
FrankChen021 reviewed Jun 7, 2026
View reviewed changes

@FrankChen021 FrankChen021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.

Reviewed 2 of 2 changed files.

This is an automated review by Codex GPT-5.5

Add missing netty-codec-classes-quic to licenses.yaml
ecd95df 
The Netty 4.2.14.Final upgrade introduced a new transitive dependency
io.netty:netty-codec-classes-quic which was missing from the licenses.yaml
file, causing license validation failures in CI.

This module provides QUIC protocol codec support and is licensed under
Apache License version 2.0, consistent with all other Netty modules.
FrankChen021
FrankChen021 reviewed Jun 10, 2026
View reviewed changes

@FrankChen021 FrankChen021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the updated dependency and license changes for correctness, edge cases, concurrency, and integration risks; no issues found.

Reviewed 2 of 2 changed files.

This is an automated review by Codex GPT-5.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FrankChen021 FrankChen021 FrankChen021 left review comments

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashwintumma23 @FrankChen021