Skip to content

Update grpc version to 1.75.0#198

Draft
rohanshah18 wants to merge 1 commit into
mainfrom
rshah/update-netty-version
Draft

Update grpc version to 1.75.0#198
rohanshah18 wants to merge 1 commit into
mainfrom
rshah/update-netty-version

Conversation

@rohanshah18
Copy link
Copy Markdown
Contributor

@rohanshah18 rohanshah18 commented Sep 29, 2025

Problem

Describe the purpose of this change. What problem is being solved and why?

Solution

Describe the approach you took. Link to any relevant bugs, issues, docs, or other resources.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • Infrastructure change (CI configs, etc)
  • Non-code change (docs, etc)
  • None of the above: (explain here)

Test Plan

Describe specific steps for validating this change.

@joerg84 joerg84 mentioned this pull request Jun 5, 2026
Merged
joerg84 added a commit that referenced this pull request Jun 5, 2026
@joerg84 @claude
fix(deps): pin Netty to 4.1.135.Final to fix CVE-2025-24970 (high-sev…
c138145 
…erity DoS) (#222)

## Summary
Fixes **CVE-2025-24970** (HIGH, CVSS 7.5) in Netty. `grpc-netty:1.60.2`
pulls **Netty 4.1.100.Final** transitively, where a specially crafted
packet can crash the native `SslHandler`, causing a **denial of
service**. The fix is Netty ≥ 4.1.118.Final.

grpc-netty does not pin a patched Netty even in recent releases (see
[grpc/grpc-java#11911](grpc/grpc-java#11911) —
1.70.0 still scans HIGH), so this pins Netty directly without a large
grpc upgrade.

## Changes
- Pin the three Netty modules that `grpc-netty` declares directly —
`netty-codec-http2`, `netty-handler-proxy`,
`netty-transport-native-unix-common` — to **4.1.135.Final**.
- Bump `netty-tcnative-boringssl-static` **2.0.61.Final → 2.0.77.Final**
(the version paired with Netty 4.1.135).

### Why pin those three modules
The published artifact is the thin jar with a flat dependency POM (no
`<dependencyManagement>`), so consumers resolve Netty transitively from
`grpc-netty`. A BOM/constraint would **not** override the transitive
version for Maven consumers. Declaring the same three modules
`grpc-netty` declares — as **direct** deps at the patched version —
makes the patched version win for everyone (Maven nearest-wins, Gradle
highest-wins), pulling the whole Netty graph (incl. the vulnerable
`netty-handler` / `netty-common`) up to 4.1.135.

### Bonus
Also brings in patched `netty-codec-http` (CVE-2024-29025) and
`netty-common` (CVE-2025-25193).

## Verification
- `./gradlew clean build jar compileIntegrationTestJava` → **BUILD
SUCCESSFUL**, unit tests pass (JDK 17, Gradle 8.5).
- `gradle dependencies --configuration runtimeClasspath` → **every**
`io.netty:*` module resolves to **4.1.135.Final** (the three `4.1.100 ->
4.1.135` overrides are visible), tcnative at 2.0.77.
- Generated POM lists the three Netty modules at 4.1.135.Final +
tcnative 2.0.77 as direct deps, so the override propagates to consumers.

## Notes
- Netty 4.1.x is binary-backward-compatible, so pinning ahead of
grpc-netty's tested 4.1.100 is safe; this is the remediation grpc
recommends for these CVEs. CI's `integration-test` job exercises the
live gRPC/Netty transport.
- Related but heavier alternative: draft #198 (grpc → 1.75.0). This PR
is the focused CVE fix.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the gRPC transport stack (Netty/tcnative) for all library
consumers; low code churn but affects security-sensitive networking
dependencies.
> 
> **Overview**
> Pins **Netty 4.1.135.Final** on the three modules `grpc-netty` pulls
in directly (`netty-codec-http2`, `netty-handler-proxy`,
`netty-transport-native-unix-common`) so Gradle/Maven consumers get
patched artifacts instead of **4.1.100.Final** from `grpc-netty:1.60.2`,
addressing **CVE-2025-24970** and related Netty CVEs without upgrading
gRPC.
> 
> Bumps **`netty-tcnative-boringssl-static`** from **2.0.61.Final** to
**2.0.77.Final** to match the pinned Netty line.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
7dbacce. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: joerg84 <joerg@pinecone.io>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rohanshah18