[🐛 Bug]: Inconsistent dependencies of netty jars in sessions docker image - 4.1.124.Final (vulnerable)

[amardeep2006]

What happened?

I just did a security scan for version 4.36.0-20251001 and sessions docker image is flagged for a vulnerability in netty-codec at /external_jars/https/repo1.maven.org/maven2/io/netty/netty-codec/4.1.124.Final/netty-codec-4.1.124.Final.jar

Observation 1:
When i inspected the sessions image, i could see two versions of netty-codec jars in the docker image.
Note: this issue is observed with the sessions image only and not present in any other docker image from selenium grid.

Observation 2:
Another inconsistency in the dependencies that I observed in all selenium grid Images 4.36 version is the older version 4.1.124.Final for two more jars (not vulnerable though) . Interestingly there is no version 4.2.6.Final present for these two jars.

1. /external_jars/https/repo1.maven.org/maven2/io/netty/netty-codec-socks/4.1.124.Final/netty-codec-socks-4.1.124.Final.jar
2. /external_jars/https/repo1.maven.org/maven2/io/netty/netty-handler-proxy/4.1.124.Final/netty-handler-proxy-4.1.124.Final.jar

Command used to start Selenium Grid with Docker (or Kubernetes)

helm chart

Relevant log output

NA

Operating System

EKS

Docker Selenium version (image tag)

4.36.0-20251001

Selenium Grid chart version (chart version)

0.46.2

[github-actions]

@amardeep2006, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[VietND96]

Checking on this. Probably it is part of other dependencies, since the list of deps only includes 4.2.6.Final in Selenium jar https://mvnrepository.com/artifact/org.seleniumhq.selenium/selenium-grid/4.36.0

[VietND96]

@amardeep2006 I tried to patch to the same tag. So, can you force pull new digest and verify?

[amardeep2006]

@VietND96 I tried this hash docker.io/selenium/sessions:4.36.0-20251001@sha256:973aa07003d2a7c75ad686e32eea0a52a8deaf48a3595efc2cc23111537fc217
and seems the old jar is still available.