Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final

Copilot · gygrobot · web-flow · commit f8bf2036341c · 2026-05-22T14:23:44.000Z
- Add resolutionStrategy.eachDependency constraint in build.gradle to upgrade io.netty 4.2.x artifacts to 4.2.13.Final using proper numeric patch version comparison (avoids string comparison pitfall for e.g. 4.2.9 vs 4.2.13) - Add ext['netty.version'] = '4.2.13.Final' to the webflux example project which uses the Spring Dependency Management plugin (requires separate BOM version override via ext property) Resolves: GHSA-rwm7-x88c-3g2p, CHK-13425 Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/c8d2cd28-9b51-4f30-8eea-3cf78a770fa0 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
diff --git a/build.gradle b/build.gradle
@@ -35,6 +35,13 @@ subprojects {
                 useVersion('11.0.21')
                 because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')
             }
+            if (requested.group == 'io.netty' && requested.version != null) {
+                def nettyVersion = requested.version =~ /^4\.2\.(\d+)\./
+                if (nettyVersion && nettyVersion[0][1].toInteger() < 13) {
+                    useVersion('4.2.13.Final')
+                    because('GHSA-rwm7-x88c-3g2p: Netty epoll transport denial of service via RST on half-closed TCP connection')
+                }
+            }
         }
     }
 
diff --git a/examples/example-spring-boot-starter-webflux/build.gradle b/examples/example-spring-boot-starter-webflux/build.gradle
@@ -6,6 +6,7 @@ plugins {
 }
 
 ext['jackson-bom.version'] = '3.1.1'
+ext['netty.version'] = '4.2.13.Final'
 
 dependencies {
     implementation project(':examples:examples-common')

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,13 @@ subprojects {`
`35`	`35`	`useVersion('11.0.21')`
`36`	`36`	`because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')`
`37`	`37`	`}`
	`38`	`+ if (requested.group == 'io.netty' && requested.version != null) {`
	`39`	`+ def nettyVersion = requested.version =~ /^4\.2\.(\d+)\./`
	`40`	`+ if (nettyVersion && nettyVersion[0][1].toInteger() < 13) {`
	`41`	`+ useVersion('4.2.13.Final')`
	`42`	`+ because('GHSA-rwm7-x88c-3g2p: Netty epoll transport denial of service via RST on half-closed TCP connection')`
	`43`	`+ }`
	`44`	`+ }`
`38`	`45`	`}`
`39`	`46`	`}`
`40`	`47`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ plugins {`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`ext['jackson-bom.version'] = '3.1.1'`
	`9`	`+ext['netty.version'] = '4.2.13.Final'`
`9`	`10`
`10`	`11`	`dependencies {`
`11`	`12`	`implementation project(':examples:examples-common')`