fix: upgrade io.netty to 4.2.13.Final to address GHSA-38f8-5428-x5cv HTTP Request Smuggling

Copilot · gygrobot · web-flow · commit 3dcc9fc658e8 · 2026-05-22T14:16:44.000Z
Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9f2405ce-d78a-4d99-a122-3e3e307f9f05 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
diff --git a/build.gradle b/build.gradle
@@ -35,6 +35,10 @@ subprojects {
                 useVersion('11.0.21')
                 because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')
             }
+            if (requested.group == 'io.netty' && requested.version != null && requested.version < '4.2.13.Final') {
+                useVersion('4.2.13.Final')
+                because('GHSA-38f8-5428-x5cv: HTTP Request Smuggling in io.netty:netty-codec-http via malformed Transfer-Encoding headers')
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,10 @@ subprojects {`
`35`	`35`	`useVersion('11.0.21')`
`36`	`36`	`because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')`
`37`	`37`	`}`
	`38`	`+ if (requested.group == 'io.netty' && requested.version != null && requested.version < '4.2.13.Final') {`
	`39`	`+ useVersion('4.2.13.Final')`
	`40`	`+ because('GHSA-38f8-5428-x5cv: HTTP Request Smuggling in io.netty:netty-codec-http via malformed Transfer-Encoding headers')`
	`41`	`+ }`
`38`	`42`	`}`
`39`	`43`	`}`
`40`	`44`