confluentinc · saheeeel · Feb 9, 2026
@@ -91,43 +91,15 @@
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>apache-client</artifactId>
         </dependency>
+        <!-- Netty version alignment is handled by io.netty:netty-bom in the root POM's
+             dependencyManagement. All transitive Netty modules from netty-nio-client
+             will resolve to ${netty.version} (4.1.125.Final), remediating:
+               - CVE-2025-58056 (HTTP Request Smuggling in netty-codec-http)
+               - CVE-2025-58057 (DoS in netty-codec)
+             No exclusions needed — the BOM governs all io.netty artifact versions. -->
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>netty-nio-client</artifactId>
-<!--            exclude netty dependecies as the latest version still has CVE-2025-55163, CVE-2025-58056,-->
-<!--            CVE-2025-58057-->
-            <exclusions>
-                <exclusion>
-                    <groupId>io.netty</groupId>
-                    <artifactId>netty-codec</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>io.netty</groupId>
-                    <artifactId>netty-codec-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>io.netty</groupId>
-                    <artifactId>netty-codec-http-2</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <!--    pin version to fix CVE-2025-58056-->
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-codec-http</artifactId>
-            <version>4.2.5.Final</version>
-        </dependency>
-        <!--        pin version to fix CVE-2025-5516-->
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-codec-http2</artifactId>
-            <version>4.2.5.Final</version>
-        </dependency>
-        <!--        pin version to fixCVE-2025-58057-->
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-codec</artifactId>
-            <version>4.2.5.Final</version>
         </dependency>
         <dependency>
             <groupId>io.findify</groupId>

@@ -72,6 +72,9 @@
         <zookeeper.version>3.8.4</zookeeper.version>
         <dnsjava.version>3.6.1</dnsjava.version>
         <commons.lang3.version>3.18.0</commons.lang3.version>
+        <!-- Netty version pinned to remediate CVE-2025-58056 and CVE-2025-58057.
+             All io.netty modules MUST be aligned to this version to prevent Jar Hell. -->
+        <netty.version>4.1.125.Final</netty.version>
     </properties>
 
     <repositories>
@@ -106,20 +109,21 @@
                 <artifactId>jose4j</artifactId>
                 <version>0.9.4</version>
             </dependency>
+            <!-- Netty BOM: Forces ALL io.netty artifacts to a single aligned version.
+                 This remediates CVE-2025-58056 (HTTP Request Smuggling in netty-codec-http)
+                 and CVE-2025-58057 (DoS in netty-codec) found in versions < 4.1.125.Final.
+                 Using the BOM prevents Jar Hell from mixed Netty versions on the classpath. -->
             <dependency>
                 <groupId>io.netty</groupId>
-                <artifactId>netty-codec-http2</artifactId>
-                <version>4.2.5.Final</version>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
             </dependency>
         </dependencies>
     </dependencyManagement>
 
     <dependencies>
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-codec-http2</artifactId>
-            <version>4.2.5.Final</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>