Skip to content

Commit d167df7

Browse files
git-wrightclaude
git-wright
and
claude
committed
fix: upgrade Netty to 4.1.129.Final to address security vulnerabilities
Force transitive Netty dependency upgrade to resolve: - CVE-2025-24970 (HIGH 7.5): SslHandler validation flaw causing native crash - CVE-2025-25193 (MEDIUM 5.5): DoS via null-byte in BoundedInputStream - CVE-2025-55163 (HIGH 7.5): HTTP/2 "MadeYouReset" DDoS attack - CVE-2025-58056 (HIGH 7.5): HTTP request smuggling via LF parsing - CVE-2025-58057 (HIGH 7.5): BrotliDecoder DoS (zip bomb) - CVE-2025-67735 (MEDIUM 6.5): CRLF injection / request smuggling Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 1101e40 commit d167df7

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

build.gradle

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,12 @@ group = "com.pusher"
2727
version = "1.3.4"
2828
description = "Pusher HTTP Client"
2929

30+
// Netty version override to address CVE-2025-24970, CVE-2025-25193, CVE-2025-55163,
31+
// CVE-2025-58056, CVE-2025-58057, CVE-2025-67735
32+
ext {
33+
nettyVersion = '4.1.129.Final'
34+
}
35+
3036
java {
3137
sourceCompatibility = JavaVersion.VERSION_11
3238
targetCompatibility = JavaVersion.VERSION_11
@@ -38,13 +44,26 @@ dependencies {
3844
implementation 'org.apache.httpcomponents:httpclient:4.5.13'
3945
implementation 'org.asynchttpclient:async-http-client:3.0.1'
4046
implementation 'com.google.code.gson:gson:2.8.9'
47+
48+
// Force Netty upgrade to resolve CVEs
49+
implementation platform("io.netty:netty-bom:${nettyVersion}")
50+
4151
testImplementation 'org.apache.httpcomponents:httpclient:4.5.13'
4252
testImplementation 'org.hamcrest:hamcrest-all:1.3'
4353
testImplementation 'org.jmock:jmock-junit5:2.12.0'
4454
testImplementation 'org.jmock:jmock-imposters:2.12.0'
4555
testImplementation 'org.junit.jupiter:junit-jupiter:5.7.1'
4656
}
4757

58+
configurations.all {
59+
resolutionStrategy.eachDependency { details ->
60+
if (details.requested.group == 'io.netty') {
61+
details.useVersion nettyVersion
62+
details.because 'CVE-2025-24970, CVE-2025-25193, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-67735'
63+
}
64+
}
65+
}
66+
4867
processResources {
4968
filter(ReplaceTokens, tokens: [
5069
version: project.version

0 commit comments

Comments
 (0)