CC-36508: Remediate CVE-2025-58056 and CVE-2025-58057 by upgrading Netty to 4.1.125.Final

[saheeeel]

JIRA: CC-36508

Problem

kafka-connect-s3 ships with io.netty:netty-codec-http:4.1.118.Final (pulled transitively via software.amazon.awssdk:netty-nio-client and org.apache.hadoop:hadoop-common), which is affected by:

• CVE-2025-58056 – HTTP Request Smuggling in netty-codec-http (versions < 4.1.125.Final)
• CVE-2025-58057 – Denial of Service in netty-codec (versions < 4.1.125.Final)

The existing dependency management had several issues:

1. Individual Netty version pins in kafka-connect-s3/pom.xml used 4.2.5.Final, an unnecessary major version bump that risks binary incompatibility.
2. Exclusions contained a typo (netty-codec-http-2 instead of netty-codec-http2), making it ineffective.
3. Not all io.netty modules were aligned, creating a Jar Hell risNoSuchMethodError` at runtime from mixed Netty versions).

Solution

• Introduced a netty.version property (4.1.125.Final) in the root pom.xml.
• Imported io.netty:netty-bom into the root <dependencyManagement> section, which forces all io.netty artifacts across the entire multi-module project to resolve to a single, aligned version.
• Removed the incorrect Netty exclusions and individual version pins from kafka-connect-s3/pom.xml — the BOM now governs all Netty artifact versions.
• Removed the stale direct netty-codec-http2:4.2.5.Final dependency from the root pom.xml.

Does this solution apply anywhere else?

• no

The BOM is applied at the root POM level, so all submodules automatically inherit the fix.

Dependency Verification

All 11 io.netty modules now resolve to 4.1.125.Final — zero old versions remain.

Output of mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:<module> for each module:

Compile-scope modules (10):

$ mvn dependency:trel kafka-connect-s3 | grep io.netty:netty-codec-http:
io.netty:netty-codec-http:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-codec-http2:
io.netty:netty-codec-http2:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-codec:
io.netty:netty-codec:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-handler:
io.netty:netty-handler:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-transport:
io.netty:netty-transport:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-common:
io.netty:netty-common:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-buffer:
io.netty:netty-buffer:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-resolver:
io.netty:netty-resolver:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-transport-native-unix-common:
io.netty:netty-transport-native-unix-common:jar:4.1.125.Final:compile

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-transport-classes-epoll:
io.netty:netty-transport-classes-epoll:jar:4.1.125.Final:compile

Test-scope module (1):

$ mvn dependency:tree -pl kafka-connect-s3 | grep io.netty:netty-all:
io.netty:netty-all:jar:4.1.125.Final:test

Summary: 11 io.netty modules, all at 4.1.125.Final. No version conflicts. No Jar Hell risk.

Test Strategy

• Verified via mvn dependency:tree -Dincludes=io.netty that all 11 Netty modules resolve to 4.1.125.Final with zero old versions remaining.
• Confirmed dependency convergence for io.netty — no version conflicts.
• Kafka Docker Playground (MinIO S3 Sink): Deployed the built connector into a full KDP environment (Kafka 8.1.0 + Schema Registry + Connect + MinIO). Created an S3SinkConnector, produced 10 Avro messages, and verified all 3 flush batches land as valid Avro files in MinIO. Zero Netty-related runtime errors (NoSuchMethodError, ClassNotFoundException, etc.).

Testing done:

• Manual tests

Release Plan

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[ahmedashfaq027]

Can you please include the JIRA tickets in the description?

[ahmedashfaq027]

Can you also include the output of the mvn dependency:tree | grep <dependency-name> command in the description, covering all of the dependencies you removed?

For example: mvn dependency:tree | grep io.netty:netty-codec-http-2