Skip to content

CHK-13425: Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final#361

Closed
Copilot wants to merge 4 commits into
mainfrom
copilot/chk-13425-fix-netty-transport-native-epoll
Closed

CHK-13425: Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final#361
Copilot wants to merge 4 commits into
mainfrom
copilot/chk-13425-fix-netty-transport-native-epoll

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 22, 2026
edited by atlassian Bot
Loading

Addresses HIGH severity DoS vulnerability in io.netty:netty-transport-native-epoll (GHSA-rwm7-x88c-3g2p) — RST on half-closed TCP connections. Spring Boot 4.0.5 BOM pins Netty at 4.2.12.Final (vulnerable); patched version is 4.2.13.Final.

Changes

  • build.gradle — Adds resolutionStrategy.eachDependency constraint for io.netty group following the existing CVE-fix pattern. Uses regex-based numeric patch comparison to correctly handle single- vs multi-digit patch versions (e.g. 4.2.9 vs 4.2.13 fails lexicographic comparison): 
    if (requested.group == 'io.netty' && requested.version != null) {
    def nettyVersion = requested.version =~ /^4\.2\.(\d+)\./
    if (nettyVersion && nettyVersion[0][1].toInteger() < 13) {
        useVersion('4.2.13.Final')
        because('GHSA-rwm7-x88c-3g2p: ...')
    }
}
  • examples/example-spring-boot-starter-webflux/build.gradle — Adds ext['netty.version'] = '4.2.13.Final' alongside the existing ext['jackson-bom.version'] override. Required because the Spring Dependency Management plugin resolves BOM-managed versions through a separate mechanism that resolutionStrategy alone cannot override.

Implementation Reasoning

  • The resolutionStrategy.eachDependency approach works for modules using Gradle-native platform() BOM import; the ext['netty.version'] property is the standard override for the Spring DM plugin.
  • All io.netty artifacts in the 4.2.x range are upgraded together to maintain inter-component compatibility.
  • Verified via ./gradlew dependencies that netty-transport-native-epoll resolves to 4.2.13.Final across all relevant configurations.

References: CHK-13425 · GitHub Alert #64 · GHSA-rwm7-x88c-3g2p

Original prompt

Requested by: catarina.correia@getyourguide.com

Branch naming: Please prefix your branch with CHK-13425

Create a branch named CHK-13425-fix-netty-transport-native-epoll

Jira Ticket: CHK-13425
Security Alert: Github_Security_Alert - Netty epoll transport denial of service via RST on half-closed TCP connection

Context:
This is a security vulnerability fix for denial of service vulnerability in io.netty:netty-transport-native-epoll used by the openapi-validation-java library.

Vulnerability Details:

  • CVE/GHSA: GHSA-rwm7-x88c-3g2p
  • Severity: HIGH
  • Package: io.netty:netty-transport-native-epoll
  • Vulnerable Version/Range: >= 4.2.0.Final, < 4.2.13.Final
  • Patched Version: 4.2.13.Final

Work Needed:

  • Locate io.netty:netty-transport-native-epoll dependency in settings.gradle or build.gradle files
  • Determine if it's a direct or transitive dependency
  • Check if fix requires major version upgrade (compare vulnerable vs patched major versions)
  • If major version upgrade: Review changelog for breaking changes and assess compatibility
  • Apply appropriate fix strategy:
    • If direct: Update version in manifest file
    • If transitive: Upgrade parent dependency that brings it in
    • If needed: Add version constraint/override
  • Verify patched version 4.2.13.Final appears in dependency tree using ./gradlew dependencies
  • Run tests following repository's documented test process (check README.md and CI workflows)

⚠️ PR Description Requirements:

  • ALWAYS include the "Implementation Reasoning" section below in the PR description on GitHub
  • If major version upgrade is detected, add a "## ⚠️ Breaking Changes Warning" section with changelog review results

Implementation Reasoning:
[Apply security-specific guidance:]

  • {Fix strategy chosen and why - e.g., "Upgrading netty-bom parent dependency rather than override because it ensures all Netty components are compatible"}
  • {Security considerations - e.g., "This resolves the denial of service vulnerability by upgrading to a version that properly handles RST on half-closed TCP connections"}
  • {Verification approach - e.g., "Verified using ./gradlew dependencies that netty-transport-native-epoll 4.2.13.Final is resolved"}

Note: Include the "Implementation Reasoning" section above in your PR description on GitHub.

Security Considerations:

  • Ensure the fix actually resolves GHSA-rwm7-x88c-3g2p
  • Verify no breaking changes are introduced
  • Test thoroughly to ensure the vulnerability is closed
  • Check that all Netty transitive dependencies are compatible

Acceptance Criteria:

  • io.netty:netty-transport-native-epoll upgraded to 4.2.13.Final (verified in dependency tree)
  • All existing tests pass
  • (If major version upgrade) Breaking changes reviewed, documented in PR description, and mitigated
  • No unexpected breaking changes introduced
  • PR includes links to Jira ticket CHK-13425, GitHub alert Bump io.spring.dependency-management from 1.1.0 to 1.1.4 #64, and security advisory GHSA-rwm7-x88c-3g2p

⚠️ Security Fix: This PR addresses a HIGH severity denial of service vulnerability. Please review carefully.

Ask @catarina-correia for a review.

@gygrobot gygrobot requested a review from catarina-correia May 22, 2026 14:12
@gyg-pr-tool gyg-pr-tool Bot changed the title [WIP] Fix netty transport native epoll security vulnerability CHK-13425: [WIP] Fix netty transport native epoll security vulnerability May 22, 2026
Copilot AI and others added 2 commits May 22, 2026 14:14
@gygrobot
Initial plan for netty CVE fix
6191346 
Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/c8d2cd28-9b51-4f30-8eea-3cf78a770fa0

Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
@gygrobot
Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final
f8bf203 
- Add resolutionStrategy.eachDependency constraint in build.gradle to
  upgrade io.netty 4.2.x artifacts to 4.2.13.Final using proper numeric
  patch version comparison (avoids string comparison pitfall for e.g.
  4.2.9 vs 4.2.13)
- Add ext['netty.version'] = '4.2.13.Final' to the webflux example
  project which uses the Spring Dependency Management plugin (requires
  separate BOM version override via ext property)

Resolves: GHSA-rwm7-x88c-3g2p, CHK-13425

Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/c8d2cd28-9b51-4f30-8eea-3cf78a770fa0

Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
Copilot AI changed the title CHK-13425: [WIP] Fix netty transport native epoll security vulnerability Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final May 22, 2026
Copilot AI requested a review from gygrobot May 22, 2026 14:25
@gyg-pr-tool gyg-pr-tool Bot changed the title Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final CHK-13425: Fix GHSA-rwm7-x88c-3g2p: Upgrade Netty to 4.2.13.Final May 22, 2026
revert: restore gradlew.bat CRLF line endings from main
71a1d80 
The gradlew.bat was inadvertently modified to use LF line endings
during the security fix commit. This restores the original CRLF
line endings to match main and avoid unnecessary diff noise.
@catarina-correia catarina-correia deleted the copilot/chk-13425-fix-netty-transport-native-epoll branch May 22, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catarina-correia catarina-correia Awaiting requested review from catarina-correia

@gygrobot gygrobot Awaiting requested review from gygrobot

Assignees

@gygrobot gygrobot

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gygrobot @catarina-correia