fix: pin netty codec compression to 4.2.13.Final

Copilot · gygrobot · web-flow · commit e9eb4112e29e · 2026-05-22T14:42:24.000Z
Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/ff1748ca-2686-476c-8163-79fb3aaeb02d Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
diff --git a/build.gradle b/build.gradle
@@ -30,6 +30,11 @@ subprojects {
                 useVersion('3.1.1')
                 because('GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 maxDocumentLength bypass')
             }
+            if (requested.group == 'io.netty' && requested.name == 'netty-codec-compression'
+                    && requested.version != null && requested.version < '4.2.13.Final') {
+                useVersion('4.2.13.Final')
+                because('GHSA-mj4r-2hfc-f8p6: Netty Codec Compression before 4.2.13.Final is vulnerable to resource exhaustion')
+            }
             if (requested.group == 'org.apache.tomcat.embed' && requested.name == 'tomcat-embed-core'
                     && requested.version != null && requested.version < '11.0.21') {
                 useVersion('11.0.21')
diff --git a/openapi-validation-core/build.gradle b/openapi-validation-core/build.gradle
@@ -10,6 +10,12 @@ dependencies {
         implementation(libs.commons.codec) {
             because 'Apache commons-codec before 1.13 is vulnerable to information exposure. See https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/'
         }
+        implementation('io.netty:netty-codec-compression') {
+            version {
+                strictly '4.2.13.Final'
+            }
+            because 'GHSA-mj4r-2hfc-f8p6: Netty Codec Compression before 4.2.13.Final is vulnerable to resource exhaustion. See https://github.com/getyourguide/openapi-validation-java/security/dependabot/59'
+        }
         implementation('org.mozilla:rhino:1.9.0') {
             because 'CVE-2025-66453: Rhino before 1.9.0 has high CPU usage and potential DoS when passing specific numbers to toFixed() function. See https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x'
         }

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,12 @@ dependencies {`
`10`	`10`	`implementation(libs.commons.codec) {`
`11`	`11`	`because 'Apache commons-codec before 1.13 is vulnerable to information exposure. See https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/'`
`12`	`12`	`}`
	`13`	`+ implementation('io.netty:netty-codec-compression') {`
	`14`	`+ version {`
	`15`	`+ strictly '4.2.13.Final'`
	`16`	`+ }`
	`17`	`+ because 'GHSA-mj4r-2hfc-f8p6: Netty Codec Compression before 4.2.13.Final is vulnerable to resource exhaustion. See https://github.com/getyourguide/openapi-validation-java/security/dependabot/59'`
	`18`	`+ }`
`13`	`19`	`implementation('org.mozilla:rhino:1.9.0') {`
`14`	`20`	`because 'CVE-2025-66453: Rhino before 1.9.0 has high CPU usage and potential DoS when passing specific numbers to toFixed() function. See https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x'`
`15`	`21`	`}`