HTTP/2: Parse request-target path like Vert.x by yawkat · Pull Request #16810 · netty/netty

yawkat · 2026-05-13T09:30:52Z

Motivation:

HttpConversionUtil.toHttp2Headers currently depends on java.net.URI for absolute-form request-target parsing. On JDKs that still enforce older URI syntax, path or query characters that appear in real HTTP request-targets can make HTTP/1.x to HTTP/2 conversion fail before :path is produced.

Netty only needs URI parsing for the lower-frequency scheme://authority validation/extraction path. The hot path/query extraction can follow the same lightweight parsing shape used by Vert.x while avoiding full URI parsing and avoiding a try/catch fallback.

Modification:

Split request-target path and query parsing into Vert.x-shaped parsePath and parseQuery helpers, with comments for Netty-specific differences.
Keep URI parsing for scheme://authority validation/extraction only after stripping path/query/fragment data.
Preserve origin-form and asterisk-form behavior.
Add regression tests for characters rejected by java.net.URI, authority-only and missing-authority absolute-form targets, empty query/fragment handling, and malformed authority validation.
Add a Jazzer fuzz test that compares the new behavior against the old URI-based conversion using broad consumeString(128) request-target input and narrow documented compatibility exceptions.

Result:

HTTP/2 conversion no longer relies on full java.net.URI parsing for request-target path/query extraction, while preserving meaningful existing behavior and continuing to validate/extract scheme and authority through URI where appropriate.

Verification performed locally:

./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn test
JAZZER_FUZZ=1 ./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dtest=HttpConversionUtilFuzzTest test
./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dsurefire.failIfNoSpecifiedTests=false -Dtest=HttpConversionUtilTest,HttpConversionUtilFuzzTest test

Motivation: java.net.URI rejects request-target characters that are accepted in practice and by newer URI parsing rules. HTTP/2 conversion should avoid depending on full URI parsing for path/query extraction while preserving existing scheme and authority validation where it matters. Modification: Use Vert.x-style parsePath and parseQuery logic for HTTP/1.x request-target to HTTP/2 :path conversion. Keep URI parsing only for scheme://authority validation and extraction, add edge-case tests, and add a Jazzer comparison target against the previous URI-based behavior. Result: Absolute-form request-targets with path or query characters rejected by java.net.URI can be converted without losing :path data. Existing origin-form behavior is preserved, and fuzz coverage documents the narrow compatibility differences from the old URI-based conversion. Co-Authored-By: multicode <multicode@yawk.at>

franz1981 · 2026-05-13T09:42:00Z

Consider using lookup tables for tight loops where the branches are not predictable and hot path 🙏

yawkat · 2026-05-13T09:44:38Z

@franz1981 I'm not 100% sure but I think the only hot path is the authority-less URI here so the scheme validation should not be hot

Copilot

Pull request overview

This PR updates HTTP/1.x to HTTP/2 request-target conversion so path/query extraction no longer depends on full java.net.URI parsing, while retaining URI-based scheme/authority handling.

Changes:

Replaces URI-based :path extraction with lightweight request-target parsing helpers.
Adds regression tests for absolute-form edge cases and malformed authorities.
Adds a Jazzer-based fuzz test and test dependency for conversion compatibility checks.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
`codec-http2/src/main/java/io/netty/handler/codec/http2/HttpConversionUtil.java`	Implements new request-target path/query parsing and scheme/authority handling.
`codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilTest.java`	Adds regression tests for new absolute-form parsing behavior.
`codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilFuzzTest.java`	Adds fuzz compatibility testing against the previous URI-based conversion.
`codec-http2/pom.xml`	Adds the Jazzer JUnit test dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

normanmaurer · 2026-05-22T14:02:49Z

+                i = uri.indexOf('/', i + 3);
+                if (i == -1) {
+                    // contains no /


@yawkat please check the comment and address or add a comment why its not valid here

Addressed here: the production parser now only accepts / before the first query/fragment delimiter after authority:

netty/codec-http2/src/main/java/io/netty/handler/codec/http2/HttpConversionUtil.java

Lines 639 to 645 in 73b5cdd

int authorityStart = i + 3;

// Netty change: only accept '/' before query/fragment as path start.

int queryOrFragmentStart = queryOrFragmentStart(uri, authorityStart);

i = uri.indexOf('/', authorityStart);

if (i == -1 || (queryOrFragmentStart != -1 && queryOrFragmentStart < i)) {

// contains no /

return "/";

This is addressed in the current patch: the production parser only accepts / before the first query/fragment delimiter here:

netty/codec-http2/src/main/java/io/netty/handler/codec/http2/HttpConversionUtil.java

Lines 639 to 645 in 73b5cdd

int authorityStart = i + 3;

// Netty change: only accept '/' before query/fragment as path start.

int queryOrFragmentStart = queryOrFragmentStart(uri, authorityStart);

i = uri.indexOf('/', authorityStart);

if (i == -1 || (queryOrFragmentStart != -1 && queryOrFragmentStart < i)) {

// contains no /

return "/";

normanmaurer · 2026-05-22T14:02:52Z

+        return isOpaqueSchemeSpecificPart(requestTarget) || isSchemeOnlyAbsolutePath(requestTarget)
+                || isAbsoluteFormWithoutPathSlash(requestTarget) || hasFragmentBeforeQuery(requestTarget)
+                || hasEmptyQueryAndFragmentDelimiters(requestTarget);


@yawkat please check the comment and address or add a comment why its not valid here

Addressed here: the fuzz exception uses the same delimiter logic:

netty/codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilFuzzTest.java

Lines 101 to 104 in 73b5cdd

int authorityStart = schemeEnd + 3;

int pathStart = requestTarget.indexOf('/', authorityStart);

int delimiter = HttpConversionUtil.queryOrFragmentStart(requestTarget, authorityStart);

return pathStart == -1 || (delimiter != -1 && delimiter < pathStart);

There is also regression coverage for query/fragment slashes here:

netty/codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilTest.java

Lines 299 to 308 in 73b5cdd

@Test

public void handlesAbsoluteRequestWithoutPathWhoseQueryOrFragmentContainsSlash() {

HttpRequest querySlash = new DefaultHttpRequest(

HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com?next=/home", true);

HttpRequest fragmentSlash = new DefaultHttpRequest(

HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com#/home", true);

assertEquals(new AsciiString("/?next=/home"),

HttpConversionUtil.toHttp2Headers(querySlash, true).path());

assertEquals(new AsciiString("/"), HttpConversionUtil.toHttp2Headers(fragmentSlash, true).path());

This is addressed as well: the fuzz exception uses the same delimiter logic here:

netty/codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilFuzzTest.java

Lines 101 to 104 in 73b5cdd

int authorityStart = schemeEnd + 3;

int pathStart = requestTarget.indexOf('/', authorityStart);

int delimiter = HttpConversionUtil.queryOrFragmentStart(requestTarget, authorityStart);

return pathStart == -1 || (delimiter != -1 && delimiter < pathStart);

And the regression coverage is here:

netty/codec-http2/src/test/java/io/netty/handler/codec/http2/HttpConversionUtilTest.java

Lines 299 to 308 in 73b5cdd

@Test

public void handlesAbsoluteRequestWithoutPathWhoseQueryOrFragmentContainsSlash() {

HttpRequest querySlash = new DefaultHttpRequest(

HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com?next=/home", true);

HttpRequest fragmentSlash = new DefaultHttpRequest(

HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com#/home", true);

assertEquals(new AsciiString("/?next=/home"),

HttpConversionUtil.toHttp2Headers(querySlash, true).path());

assertEquals(new AsciiString("/"), HttpConversionUtil.toHttp2Headers(fragmentSlash, true).path());

AI double comment 😅

Co-Authored-By: multicode <multicode@yawk.at>

normanmaurer · 2026-05-18T14:17:44Z

@yawkat is this ready for review ?

Co-Authored-By: multicode <multicode@yawk.at>

normanmaurer · 2026-05-19T06:26:47Z

@vietj PTAL as well

He-Pin · 2026-05-19T07:34:48Z

what about the jmh performance, better?

Co-Authored-By: multicode <multicode@yawk.at>

yawkat · 2026-05-19T08:34:34Z

Added a JMH benchmark for the request-target conversion path in Http2RequestTargetConversionBenchmark and ran a short local comparison after making the old URI-based helper perform the same final header translation pass as the current conversion.

Command used:

java -jar microbench/target/microbenchmarks.jar 'Http2RequestTargetConversionBenchmark\\.(newConversion|oldUriConversion)' \
  -wi 3 -i 3 -f 1 -r 500ms -w 500ms -tu ns \
  -rf json -rff microbench/target/http2-request-target-conversion-results.json

Environment reported by JMH:

JMH 1.36
JDK 25.0.3, OpenJDK 64-Bit Server VM, 25.0.3+9-LTS
Mode: AverageTime, units: ns/op

Results from this short run (lower is better):

requestTargetType	newConversion	oldUriConversion
`ORIGIN`	`74.381 ± 2.762`	`71.707 ± 3.576`
`ABSOLUTE`	`404.264 ± 97.134`	`495.790 ± 82.001`
`ABSOLUTE_NO_PATH`	`363.876 ± 57.296`	`430.040 ± 565.750`
`ABSOLUTE_NO_AUTHORITY`	`181.581 ± 106.497`	`152.612 ± 15.316`
`SCHEME_ONLY_ABSOLUTE_PATH`	`133.358 ± 15.967`	`232.744 ± 431.868`

The origin-form case is effectively neutral once both paths include the same final header-copy/filter pass. The representative absolute-form and scheme-only cases are faster with the new parser in this run; ABSOLUTE_NO_AUTHORITY is slower.

yawkat · 2026-05-19T09:38:34Z

those are some awful error ranges 😅

But I think ORIGIN is the most important, and that is mostly unchanged. This PR is about the functionality difference wrt special characters, not about immediately improving performance

netty-project-bot · 2026-05-28T09:06:32Z

Could not create auto-port PR.
Got conflicts when cherry-picking onto 4.1.

netty-project-bot · 2026-05-28T09:06:36Z

Auto-port PR for 5.0: #16855

normanmaurer · 2026-05-28T09:07:42Z

@yawkat please open a PR again 4.1 manually as the auto-merge PR could not be created.

Auto-port of #16810 to 5.0 Cherry-picked commit: a42c7fc --- Motivation: `HttpConversionUtil.toHttp2Headers` currently depends on `java.net.URI` for absolute-form request-target parsing. On JDKs that still enforce older URI syntax, path or query characters that appear in real HTTP request-targets can make HTTP/1.x to HTTP/2 conversion fail before `:path` is produced. Netty only needs URI parsing for the lower-frequency `scheme://authority` validation/extraction path. The hot path/query extraction can follow the same lightweight parsing shape used by Vert.x while avoiding full URI parsing and avoiding a try/catch fallback. Modification: - Split request-target path and query parsing into Vert.x-shaped `parsePath` and `parseQuery` helpers, with comments for Netty-specific differences. - Keep `URI` parsing for `scheme://authority` validation/extraction only after stripping path/query/fragment data. - Preserve origin-form and asterisk-form behavior. - Add regression tests for characters rejected by `java.net.URI`, authority-only and missing-authority absolute-form targets, empty query/fragment handling, and malformed authority validation. - Add a Jazzer fuzz test that compares the new behavior against the old URI-based conversion using broad `consumeString(128)` request-target input and narrow documented compatibility exceptions. Result: HTTP/2 conversion no longer relies on full `java.net.URI` parsing for request-target path/query extraction, while preserving meaningful existing behavior and continuing to validate/extract scheme and authority through URI where appropriate. Verification performed locally: - `./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn test` - `JAZZER_FUZZ=1 ./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dtest=HttpConversionUtilFuzzTest test` - `./mvnw -pl codec-http2 -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dsurefire.failIfNoSpecifiedTests=false -Dtest=HttpConversionUtilTest,HttpConversionUtilFuzzTest test` Co-authored-by: Jonas Konrad <jonas.konrad@oracle.com> Co-authored-by: multicode <multicode@yawk.at>

Manual backport of #16810 to 4.1. This is not a literal bot auto-port: the Java source, tests, fuzz test, and microbenchmark changes from the 4.2 PR applied as-is, but the root `pom.xml` needed a 4.1-specific conflict resolution. The backport keeps 4.1's existing `junit.version` (`5.12.1`) and adds only `jazzer.version` (`0.30.0`) for the new fuzz test, instead of taking 4.2's newer JUnit/JUnit Platform version lines. Cherry-picked source commit: a42c7fc --- Motivation: `HttpConversionUtil.toHttp2Headers` currently depends on `java.net.URI` for absolute-form request-target parsing. On JDKs that still enforce older URI syntax, path or query characters that appear in real HTTP request-targets can make HTTP/1.x to HTTP/2 conversion fail before `:path` is produced. Netty only needs URI parsing for the lower-frequency `scheme://authority` validation/extraction path. The hot path/query extraction can follow the same lightweight parsing shape used by Vert.x while avoiding full URI parsing and avoiding a try/catch fallback. Modification: - Split request-target path and query parsing into Vert.x-shaped `parsePath` and `parseQuery` helpers, with comments for Netty-specific differences. - Keep `URI` parsing for `scheme://authority` validation/extraction only after stripping path/query/fragment data. - Preserve origin-form and asterisk-form behavior. - Add regression tests for characters rejected by `java.net.URI`, authority-only and missing-authority absolute-form targets, empty query/fragment handling, and malformed authority validation. - Add a Jazzer fuzz test that compares the new behavior against the old URI-based conversion using broad `consumeString(128)` request-target input and narrow documented compatibility exceptions. 4.1 CI note: The Jazzer test is opt-in via `JAZZER_FUZZ=1` on this branch. Netty 4.1 CI still runs Linux jobs on old CentOS images whose glibc is too old for Jazzer's native driver. The initial CI failure was: `HttpConversionUtilFuzzTest.currentConversionMatchesOldUriBasedConversion` → `Failed to run Agent.install` → `libjazzer_driver_*.so: /lib64/libc.so.6: version 'GLIBC_2.14' not found`. The deterministic `HttpConversionUtilTest` regression tests still run by default; the fuzz oracle remains available on compatible hosts by setting `JAZZER_FUZZ=1`. Result: HTTP/2 conversion no longer relies on full `java.net.URI` parsing for request-target path/query extraction, while preserving meaningful existing behavior and continuing to validate/extract scheme and authority through URI where appropriate. Verification performed locally: - Default CI-like targeted path: `./mvnw -pl codec-http2 -am -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dforbiddenapis.skip=true -Danimal.sniffer.skip=true -Dsurefire.failIfNoSpecifiedTests=false -Dtest=HttpConversionUtilTest,HttpConversionUtilFuzzTest test` — 31 tests, 0 failures, 1 skipped (`HttpConversionUtilFuzzTest`). - Opt-in fuzz path: `JAZZER_FUZZ=1 ./mvnw -pl codec-http2 -am -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dcheckstyle.skip=true -Dforbiddenapis.skip=true -Danimal.sniffer.skip=true -Dsurefire.failIfNoSpecifiedTests=false -Dtest=HttpConversionUtilFuzzTest test` — fuzz test ran successfully on the local JDK 21 host. - Checkstyle/compile path: `./mvnw -pl codec-http2 -am -DskipTests -Drevapi.skip=true -DskipJapicmp -DskipHttp2Testsuite -DskipAutobahn -Dforbiddenapis.skip=true -Danimal.sniffer.skip=true test` — build success. Notes: - Java LSP diagnostics were unavailable locally because `jdtls` is not installed in the environment. - The 4.1 backport keeps 4.1's existing `junit.version` and only adds `jazzer.version`; `codec-http2` excludes Jazzer's JUnit/JUnit Platform transitives so the branch-managed test stack is used. --------- Co-authored-by: multicode <multicode@yawk.at>

### What changes were proposed in this pull request? This PR aims to upgrade `Netty` to 4.2.15.Final. ### Why are the changes needed? To bring the latest bug fixes: - https://netty.io/news/2026/06/01/4-2-15-Final.html - [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in io.netty:netty-codec-haproxy (high). - [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in io.netty:netty-codec-http2. - [CVE-2026-XXXXX](GHSA-5w86-c3rq-vjj7): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-XXXXX](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in io.netty:netty-codec-classes-quic. - [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in io.netty:netty-handler (high). - [CVE-2026-XXXXX](GHSA-hvcg-qmg6-jm4c): request smuggling in io.netty:netty-codec-http. - [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in io.netty:netty-codec-haproxy (high). - [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in io.netty:netty-codec-classes-quic (high). - [CVE-2026-XXXXX](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in io.netty:netty-handler (high). - [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in io.netty:netty-resolver-dns. - [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in io.netty:netty-handler (high). - [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue. - [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in io.netty:netty-transport-sctp (high). - [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in io.netty:netty-codec-http2. - [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in io.netty:netty-codec-http2. - Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup [#16836](netty/netty#16836) - HTTP/2: Parse request-target path like Vert.x [#16810](netty/netty#16810) - ChannelInitializer: correct misleading comment on exceptionCaught route [#16853](netty/netty#16853) - FlowControlHandler: Suppress duplicate channelReadComplete after draining queue [#16837](netty/netty#16837) - Pass maxAllocation to Brotli and Zstd decoders [#16844](netty/netty#16844) - Add maxWindowLog parameter to ZstdDecoder to bound memory allocation [#16850](netty/netty#16850) - MQTT: Reject malformed no-payload packets with non-zero Remaining Length [#16890](netty/netty#16890) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.8 Closes #700 from dongjoon-hyun/SPARK-57272. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>

…ip ci] Bumps `netty.version` from 4.2.14.Final to 4.2.15.Final. Updates `io.netty:netty-transport` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.14.Final to 4.2.15.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.14.Final&new-version=4.2.15.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

### What changes were proposed in this pull request? This PR aims to upgrade `Netty` to 4.2.15.Final. ### Why are the changes needed? To bring the latest bug fixes: - https://netty.io/news/2026/06/01/4-2-15-Final.html - [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in io.netty:netty-codec-haproxy (high). - [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-50560](GHSA-563q-j3cm-6jxm): DDoS in io.netty:netty-codec-http2. - [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in io.netty:netty-codec-classes-quic. - [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in io.netty:netty-handler (high). - [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in io.netty:netty-codec-http. - [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in io.netty:netty-codec-haproxy (high). - [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in io.netty:netty-codec-classes-quic (high). - [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in io.netty:netty-handler (high). - [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in io.netty:netty-resolver-dns. - [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in io.netty:netty-handler (high). - [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue. - [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in io.netty:netty-transport-sctp (high). - [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in io.netty:netty-codec-http2. - [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in io.netty:netty-codec-http2. - netty/netty#16836 - netty/netty#16810 - netty/netty#16853 - netty/netty#16837 - netty/netty#16844 - netty/netty#16850 - netty/netty#16890 - https://netty.io/news/2026/05/20/4-2-14-Final.html - netty/netty#16747 - netty/netty#16759 - netty/netty#16767 - netty/netty#16781 - netty/netty#16788 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.8 Closes #56373 from dongjoon-hyun/SPARK-57320. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>

Merge branch '4.2' into http2-vertx-request-target-parser

43a53ef

yawkat requested a review from Copilot May 13, 2026 09:46

Copilot started reviewing on behalf of yawkat May 13, 2026 09:46 View session

yawkat marked this pull request as ready for review May 13, 2026 09:53

Copilot AI reviewed May 13, 2026

View reviewed changes

github-advanced-security AI found potential problems May 13, 2026

View reviewed changes

HTTP/2: Address request-target parser review comments

c4d0ac2

Co-Authored-By: multicode <multicode@yawk.at>

yawkat mentioned this pull request May 13, 2026

Fall back to manual split when java.net.URI rejects HTTP/2 request URI #16733

Closed

yawkat requested a review from normanmaurer May 18, 2026 14:19

normanmaurer requested changes May 18, 2026

View reviewed changes

HTTP/2: Address request-target parser review feedback

0776dfc

Co-Authored-By: multicode <multicode@yawk.at>

normanmaurer requested review from bryce-anderson and chrisvest May 19, 2026 06:26

normanmaurer added this to the 4.2.14.Final milestone May 19, 2026

normanmaurer added needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. labels May 19, 2026

normanmaurer requested changes May 19, 2026

View reviewed changes

Comment thread codec-http2/src/main/java/io/netty/handler/codec/http2/HttpConversionUtil.java Outdated

franz1981 approved these changes May 19, 2026

View reviewed changes

yawkat and others added 2 commits May 19, 2026 09:45

Merge branch '4.2' into http2-vertx-request-target-parser

bec718a

HTTP/2: Add request-target conversion benchmark

73b5cdd

Co-Authored-By: multicode <multicode@yawk.at>

chrisvest modified the milestones: 4.2.14.Final, 4.2.15.Final May 20, 2026

normanmaurer approved these changes May 21, 2026

View reviewed changes

violetagg approved these changes May 21, 2026

View reviewed changes

Merge branch '4.2' into http2-vertx-request-target-parser

8f3e599

yawkat merged commit a42c7fc into 4.2 May 28, 2026
20 checks passed

yawkat deleted the http2-vertx-request-target-parser branch May 28, 2026 09:06

netty-project-bot mentioned this pull request May 28, 2026

Auto-port 5.0: HTTP/2: Parse request-target path like Vert.x #16855

Merged

github-actions Bot removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label May 28, 2026

yawkat linked an issue May 28, 2026 that may be closed by this pull request

"Illegal Character in query" in HttpConversionUtil #14591

Closed

yawkat mentioned this pull request May 28, 2026

HTTP/2: Parse request-target path like Vert.x (4.1 backport) #16856

Merged

dongjoon-hyun mentioned this pull request Jun 4, 2026

[SPARK-57272] Upgrade Netty to 4.2.15.Final apache/spark-kubernetes-operator#700

Closed

dongjoon-hyun mentioned this pull request Jun 8, 2026

[SPARK-57320][BUILD] Upgrade Netty to 4.2.15.Final apache/spark#56373

Closed

	int authorityStart = i + 3;
	// Netty change: only accept '/' before query/fragment as path start.
	int queryOrFragmentStart = queryOrFragmentStart(uri, authorityStart);
	i = uri.indexOf('/', authorityStart);
	if (i == -1 \|\| (queryOrFragmentStart != -1 && queryOrFragmentStart < i)) {
	// contains no /
	return "/";

	int authorityStart = schemeEnd + 3;
	int pathStart = requestTarget.indexOf('/', authorityStart);
	int delimiter = HttpConversionUtil.queryOrFragmentStart(requestTarget, authorityStart);
	return pathStart == -1 \|\| (delimiter != -1 && delimiter < pathStart);

	@Test
	public void handlesAbsoluteRequestWithoutPathWhoseQueryOrFragmentContainsSlash() {
	HttpRequest querySlash = new DefaultHttpRequest(
	HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com?next=/home", true);
	HttpRequest fragmentSlash = new DefaultHttpRequest(
	HttpVersion.HTTP_1_1, HttpMethod.GET, "http://example.com#/home", true);

	assertEquals(new AsciiString("/?next=/home"),
	HttpConversionUtil.toHttp2Headers(querySlash, true).path());
	assertEquals(new AsciiString("/"), HttpConversionUtil.toHttp2Headers(fragmentSlash, true).path());

Uh oh!

Conversation

yawkat commented May 13, 2026

Uh oh!

franz1981 commented May 13, 2026

Uh oh!

yawkat commented May 13, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

normanmaurer May 22, 2026

Choose a reason for hiding this comment

Uh oh!

yawkat May 22, 2026

Choose a reason for hiding this comment

Uh oh!

yawkat May 22, 2026

Choose a reason for hiding this comment

Uh oh!

normanmaurer May 22, 2026

Choose a reason for hiding this comment

Uh oh!

yawkat May 22, 2026

Choose a reason for hiding this comment

Uh oh!

yawkat May 22, 2026

Choose a reason for hiding this comment

Uh oh!

yawkat May 22, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

normanmaurer commented May 18, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

normanmaurer commented May 19, 2026

Uh oh!

Uh oh!

He-Pin commented May 19, 2026

Uh oh!

yawkat commented May 19, 2026

Uh oh!

yawkat commented May 19, 2026

Uh oh!

Uh oh!

netty-project-bot commented May 28, 2026

Uh oh!

netty-project-bot commented May 28, 2026

Uh oh!

normanmaurer commented May 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants