CHK-13427: fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv) by Copilot · Pull Request #362 · getyourguide/openapi-validation-java

Copilot · 2026-05-22T14:12:18Z

io.netty:netty-codec-http ≤ 4.2.12.Final is vulnerable to HTTP Request Smuggling via malformed Transfer-Encoding headers (GHSA-38f8-5428-x5cv, MEDIUM). The affected version (4.2.12.Final) arrives transitively via spring-boot-starter-reactor-netty → reactor-netty-http:1.3.4.

Changes

build.gradle — adds a resolutionStrategy.eachDependency constraint forcing all io.netty group modules to ≥ 4.2.13.Final, consistent with the existing CVE mitigations for jackson-core and tomcat-embed-core:

if (requested.group == 'io.netty' && requested.version != null && requested.version < '4.2.13.Final') {
    useVersion('4.2.13.Final')
    because('GHSA-38f8-5428-x5cv: HTTP Request Smuggling in io.netty:netty-codec-http via malformed Transfer-Encoding headers')
}

All io.netty modules are version-locked together upstream, so the constraint targets the full group to maintain version consistency. Confirmed via dependency tree: netty-codec-http:4.2.10.Final -> 4.2.13.Final.

Resolves GitHub Dependabot alert #61 / CHK-13427.

Original prompt

Requested by: catarina.correia@getyourguide.com

Branch naming: Please prefix your branch with CHK-13427

Create a branch named CHK-13427-fix-netty-http-request-smuggling

Jira Ticket: CHK-13427
Security Alert: Github_Security_Alert - HTTP Request Smuggling

Context:
This is a security vulnerability fix for HTTP Request Smuggling in io.netty:netty-codec-http due to malformed Transfer-Encoding handling.

Vulnerability Details:

CVE/GHSA: GHSA-38f8-5428-x5cv

Severity: MEDIUM

Package: io.netty:netty-codec-http

Vulnerable Version/Range: >= 4.2.0.Alpha1, <= 4.2.12.Final

Patched Version: 4.2.13.Final

Work Needed:

Locate io.netty:netty-codec-http dependency in settings.gradle or build.gradle files

Determine if it's a direct or transitive dependency using Gradle dependency tree

Check if fix requires major version upgrade: 4.2.x → 4.2.13 (NO - this is a patch version upgrade within the same minor version)

Apply appropriate fix strategy:

If direct dependency: Update version in manifest file

If transitive: Upgrade parent dependency that brings it in

If from BOM or platform: Update the BOM/platform version or add constraint

Verify patched version 4.2.13.Final appears in dependency tree after fix

Run tests following repository's documented test process (check README.md, .github/workflows/, or Gradle tasks)

⚠️ PR Description Requirements:

ALWAYS include the "Implementation Reasoning" section below in the PR description on GitHub

This is a patch version upgrade (4.2.x → 4.2.13.Final), so no major breaking changes are expected

Implementation Reasoning:
The security fix upgrades io.netty:netty-codec-http to address GHSA-38f8-5428-x5cv (HTTP Request Smuggling via malformed Transfer-Encoding headers). The fix strategy chosen depends on whether this is a direct or transitive dependency:

If transitive, upgrading the parent dependency ensures compatibility with other components

If direct, updating to 4.2.13.Final resolves the vulnerability while maintaining API compatibility (patch version upgrade)

This resolves the HTTP Request Smuggling vulnerability by including Netty's fix for proper Transfer-Encoding header validation

Security Considerations:

Verify io.netty:netty-codec-http 4.2.13.Final actually appears in the dependency tree after the upgrade

Ensure no unexpected dependency conflicts are introduced

Test thoroughly to confirm the vulnerability is closed

Confirm the fix by checking that GitHub Dependabot alert Bump org.projectlombok:lombok from 1.18.24 to 1.18.30 #61 is resolved after merge

Acceptance Criteria:

io.netty:netty-codec-http 4.2.13.Final confirmed in dependency tree (run ./gradlew dependencies | grep netty-codec-http)

All existing tests pass with upgraded dependency

No unexpected breaking changes introduced

PR includes links to CHK-13427, GitHub alert Bump org.projectlombok:lombok from 1.18.24 to 1.18.30 #61, and GHSA-38f8-5428-x5cv

⚠️ Security Fix: This PR addresses a MEDIUM severity HTTP Request Smuggling vulnerability. Please review carefully.

Ask @catarina-correia for a review.

Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9f2405ce-d78a-4d99-a122-3e3e307f9f05 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>

…HTTP Request Smuggling Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9f2405ce-d78a-4d99-a122-3e3e307f9f05 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>

The gradlew.bat was inadvertently modified to use LF line endings during the security fix commit. This restores the original CRLF line endings to match main and avoid unnecessary diff noise.

Initial plan

7e10f32

Copilot AI assigned Copilot and gygrobot May 22, 2026

gygrobot requested a review from catarina-correia May 22, 2026 14:12

gyg-pr-tool Bot changed the title ~~[WIP] Fix HTTP request smuggling vulnerability in Netty~~ CHK-13427: [WIP] Fix HTTP request smuggling vulnerability in Netty May 22, 2026

Copilot started work on behalf of gygrobot May 22, 2026 14:12 View session

Copilot AI and others added 2 commits May 22, 2026 14:15

chore: initial plan for GHSA-38f8-5428-x5cv netty-codec-http fix

1cdab44

Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9f2405ce-d78a-4d99-a122-3e3e307f9f05 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>

fix: upgrade io.netty to 4.2.13.Final to address GHSA-38f8-5428-x5cv …

3dcc9fc

…HTTP Request Smuggling Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9f2405ce-d78a-4d99-a122-3e3e307f9f05 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>

Copilot AI changed the title ~~CHK-13427: [WIP] Fix HTTP request smuggling vulnerability in Netty~~ fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv) May 22, 2026

Copilot AI requested a review from gygrobot May 22, 2026 14:18

gyg-pr-tool Bot changed the title ~~fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv)~~ CHK-13427: fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv) May 22, 2026

Copilot finished work on behalf of gygrobot May 22, 2026 14:19

revert: restore gradlew.bat CRLF line endings from main

8fa10ff

The gradlew.bat was inadvertently modified to use LF line endings during the security fix commit. This restores the original CRLF line endings to match main and avoid unnecessary diff noise.

catarina-correia marked this pull request as ready for review May 22, 2026 14:58

catarina-correia requested a review from a team as a code owner May 22, 2026 14:58

catarina-correia approved these changes May 22, 2026

View reviewed changes

catarina-correia merged commit 710bf7b into main May 22, 2026
4 checks passed

catarina-correia deleted the copilot/chk-13427-fix-netty-http-request-smuggling branch May 22, 2026 14:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CHK-13427: fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv)#362

CHK-13427: fix: upgrade io.netty to 4.2.13.Final (GHSA-38f8-5428-x5cv)#362
catarina-correia merged 4 commits into
mainfrom
copilot/chk-13427-fix-netty-http-request-smuggling

Copilot AI commented May 22, 2026 •

edited by atlassian Bot

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented May 22, 2026 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented May 22, 2026 •

edited by atlassian Bot

Loading