Netty Project

We are happy to announce the release of netty 4.2.7.Final. This is a bug-fix release but also contains some new features. Beside this it also fixes CVE-2025-59419 which might affect you if you make use of our SMTP implementation. The most important ... [More] changes are: SMTP Command Injection Vulnerability Allowing Email Forgery (CVE-2025-59419) Faster leak detector implementation for tests (#15622) Expose metrics from AutoScalingEventExecutorChooserFactory (#15624) Teach the BoringSSL implementation to use a java.security.Signature for keys that cannot be obtained directly (#15626) Drop unknown frame on missing stream in first packet (#15646) IoUring: Add support IntegerUnixChannelOption and RawUnixChannelOption (#15706) IoUring: Don't delay close operation if we still wait for the second... [Less]

We are happy to announce the release of netty 4.1.128.Final. This is a bug-fix release but also contains CVE-2025-59419 which might affect you if you make use of our SMTP implementation. The most important changes are: SMTP Command Injection ... [More] Vulnerability Allowing Email Forgery (CVE-2025-59419) Drop unknown frame on missing stream in first packet (#15647) Precompute segments offsets and use them as segment's identity (#15656) Empty chunks cannot be used while allocating from the shared queue (#15659) Only register chunk sizes in adaptive allocator (#15663) Fix concurrent chunk data write bug in adaptive allocator (#15664) Update jni-util version to clarify licensing (#15689) Fix Snappy compression bug (#15715) Fix aligned off-heap zeroing (#15744) For... [Less]

We are happy to announce the release of netty 4.1.127.Final. This is a bug-fix release which fixes a regression introduced by 4.1.126.Final that might affect you if you use BouncyCastle. We decided to do a quick follow-up release here so people that ... [More] depend on it can still get the fixes for CVE-2025-58057 and CVE-2025-58056 that were part of 4.1.125.Final. The most important changes are: BouncyCastleAlpnSslUtils needs to use the correct SSLEngine class as otherwise it will fail to init static fields. (#15628) For more details please visit our bug tracker Thank You Every idea and bug-report counts, and so we thought it is worth mentioning those... [Less]

We are happy to announce the release of netty 4.2.6.Final. This is a bug-fix release which fixes a regression introduced by 4.2.5.Final that might affect you if you use BouncyCastle. We decided to do a quick follow-up release here so people that ... [More] depend on it can still get the fixes for CVE-2025-58057 and CVE-2025-58056 that were part of 4.2.5.Final. The most important changes are: BouncyCastleAlpnSslUtils needs to use the correct SSLEngine class as otherwise it will fail to init static fields. (#15630) IoUring: Allow to create IoHandlerFactory that supports changing the Thread and so supports AutoScalingEventExecutorChooserFactory. (#15608) For more details please visit our bug tracker Thank... [Less]

We are happy to announce the release of netty 4.1.126.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056. The most important changes are: Decompression codecs vulnerable to DoS via zip bomb ... [More] style attack (CVE-2025-58057) Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) Fix IllegalReferenceCountException on invalid upgrade response (#15606) Drop unknown frame on missing stream (#15595) Don't try to handle incomplete upgrade request (#15585) Make org.graalvm.nativeimage:svm optional in netty-common (#15558) For more details please visit our bug tracker Thank You Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area. Please report an... [Less]

We are happy to announce the release of netty 4.2.5.Final. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056. The most important changes are: Decompression codecs vulnerable to DoS via zip bomb ... [More] style attack (CVE-2025-58057) Request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) Only register chunk sizes in adaptive allocator (#15575) Always load BouncyCastle classes with the Netty classloader (#15569) Update to quiche 0.24.5 (#15556) Clean up netty-buffer Import-Package (#15562) Don't try to handle incomplete upgrade request (#15581) SubmissionQueue::toString should iterate from the head (#15586) Implement automatic scaling for EventLoopGroup threads (#15524) Drop unknown frame on missing stream (#15592) IoUring: Reduce redundant system calls... [Less]

We are happy to announce the release of netty-incubator-codec-quic 0.0.73.Final. This is a bug-fix release but also upgrades its quiche version to fix CVE-2025-7054. Because of this we highly recommend to upgrade as soon as possible. The most ... [More] important changes are: Correctly map GENERIC to UNKNOWN when using BoringSSL (#816) Update to quiche 0.24.5 (#815) Update netty dependency (#817) For more details related to this release see our bug-tracker. For more details about this codec in general please read our initial announcement. Thank You Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area. Please report an unintended omission. @m1ngyuan @normanmaurer @vazh2100... [Less]

We are happy to announce the release of netty-incubator-codec-ohttp 0.0.19.Final. This is a bug-fix release. The most important changes are: Release buffer when serialization throws exception (#104) Update to latest netty release (#106) For more details related to this release see our bug-tracker....

We are happy to announce the release of netty 4.1.124.Final. This is a bug-fix release which also contains a fix for a CVE-2025-55163. The most important changes are: MadeYouReset HTTP/2 DDoS vulnerability (CVE-2025-55163) Fix NPE and ... [More] AssertionErrors when many tasks are scheduled and cancelled (#15499) HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder (#15518) Epoll: Correctly handle UDP packets with source port of 0 (#15537) Fix netty-common OSGi Import-Package header (#15546) MqttConnectPayload.toString() includes password (#15554) For more details please visit our bug tracker Thank You Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area. Please report an unintended omission. @bryce-anderson @chrisvest @d-william @franz1981 @galbarnahum @jbertram @normanmaurer @rovarga @vietj @violetagg @yawkat... [Less]

We are happy to announce the release of netty 4.2.4.Final. This is a bug-fix release which also contains a fix for a CVE-2025-55163. The most important changes are: MadeYouReset HTTP/2 DDoS vulnerability (CVE-2025-55163) Add support for SOCKS5 ... [More] private authentication methods (RFC#1928) (#15470) IoUring: Add support for IORING_OP_SEND_ZC (#15491) JFR profile and JFR reader for the allocation simulator (#15497) Add namespace to our JFR events (#15500) Fix NPE and AssertionErrors when many tasks are scheduled and cancelled (#15501) IoUring: Detect completion queue overflow (#15505) Fix JFR event names in the flight recorder profile (#15506) Add close-tracking to our leak detector (#15512) ByteBufOutputStream.writeBytes should only write lower-order bytes (#15514) HTTP2: Http2ConnectionHandler should always use... [Less]