does grpc-netty-shaded < 1.75.0 affected by CVE-2025-55163 ?

[fthmko]

According to the Github Advisory, grpc-netty-shaded < 1.75.0 are marked as affected by the MadeYouReset HTTP/2 DDoS vulnerability.
But in the 1.75.0 release notes, it's only mention it in the "Improvements" section rather than in the "Bug Fixes" section as other vulnerabilities.

Therefore, should I upgrade to 1.75.0 or later to mitigate this vulnerability?

[kula99]

I have the same question, according to the code reference in the Github Advisory, it seems these codes are from grpc-netty but not grpc-netty-shaded

[kannanjgithub]

The code referenced is packaged into both grpc-netty and grpc-netty-shaded jars. Yes, you should upgrade to 1.75.0 or later to mitigate this vulnerability. If you are using grpc-netty and directly specifying a io.netty version, it should be >= 4.1.124 for the fix to actually take effect (grpc-netty-shaded already took care of it by importing this version of netty source code into grpc).

[fthmko]

Ok, I will upgrade it.

Thanks for your clearly reply :)