Skip to content

[Aikido] Fix 7 security issues in netty-codec, netty-codec-http, netty-codec-http2 and 3 more#1

Open
aikido-autofix[bot] wants to merge 3 commits into
mainfrom
fix/aikido-security-update-packages-16428206-j62L
Open

[Aikido] Fix 7 security issues in netty-codec, netty-codec-http, netty-codec-http2 and 3 more#1
aikido-autofix[bot] wants to merge 3 commits into
mainfrom
fix/aikido-security-update-packages-16428206-j62L

Conversation

@aikido-autofix
Copy link
Copy Markdown

@aikido-autofix aikido-autofix Bot commented Feb 15, 2026

Upgrade Netty and Vert.x dependencies to address critical HTTP/2 DoS, request smuggling, SSL validation, and compression vulnerabilities that could enable remote attacks.

✅ 7 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-58057
 
HIGH
 [netty-codec] Vulnerability in decompression decoder allows attackers to cause DoS by supplying crafted input that triggers excessive buffer allocation, potentially exhausting memory resources until out-of-memory condition is reached. 
CVE-2025-58056
 
HIGH
 [netty-codec-http] HTTP request smuggling vulnerability in Netty allows attackers to craft malformed requests that are parsed differently by Netty and reverse proxies, potentially bypassing security controls and enabling request manipulation attacks. 
CVE-2025-67735
 
MEDIUM
 [netty-codec-http] CRLF injection vulnerability in HTTP request encoder enables request smuggling attacks by injecting malicious headers, potentially allowing attackers to manipulate HTTP requests and bypass security controls. 
CVE-2025-55163
 
HIGH
 [netty-codec-http2] HTTP/2 protocol vulnerability allows attackers to bypass stream limits by sending malformed control frames, causing resource exhaustion and potential Distributed Denial of Service (DDoS) attack. 
CVE-2025-24970
 
HIGH
 [netty-handler] A specially crafted packet received via SslHandler can trigger incorrect validation, potentially causing a native crash and system instability. This vulnerability allows attackers to potentially cause a Denial of Service (DoS) condition by sending malformed network packets. 
CVE-2026-1002
 
MEDIUM
 [vertx-core] Path traversal vulnerability in static file handler allows attackers to manipulate request URIs, causing denial of access to static files by crafting malicious URIs with encoded path traversal sequences. 
CVE-2025-25193
 
LOW
 [netty-common] A DoS vulnerability exists where an attacker can create a large file on Windows that causes Netty to crash when attempting to read a non-existent environment file, potentially disrupting application availability.

aikido-autofix Bot and others added 3 commits February 15, 2026 17:36
@aikido-autofix @Gimzou
fix(security): update dependencies
206eca1
@Gimzou
security: address CVE vulnerabilities in transitive dependencies
64ea699 
- Update Kotlin to 2.3.10
- Update Ktor to 3.4.0 (includes secure Netty 4.1.130.Final)
- Add Vert.x constraint to force 4.5.24 (Ktor uses vulnerable 4.5.11)

Netty CVEs resolved by Ktor update, no constraint needed.
Vert.x requires explicit constraint as Ktor hasn't updated yet.

Based on Aikido security scan recommendations.

Co-authored-by: Aikido Security <security@aikido.dev>
@Gimzou
chore: remove unexpected indentation
4c0906a
@Gimzou Gimzou force-pushed the fix/aikido-security-update-packages-16428206-j62L branch from 6832361 to 4c0906a Compare February 15, 2026 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gimzou