Skip to content

Upgrade Bigtable jar to use latest version of grpc-netty-shaded to avoid CVE-2025-55163 #2684

New issue
New issue
Open
Open
Upgrade Bigtable jar to use latest version of grpc-netty-shaded to avoid CVE-2025-55163#2684
Labels
api: bigtableIssues related to the googleapis/java-bigtable API.
@HarindraMourya

Description

@HarindraMourya
HarindraMourya
opened on Oct 3, 2025
  1. OS type and version: Linux
  2. Java version: 17
  3. bigtable version(s): 2.58.1 and 2.67.0

Steps to reproduce

  1. To resolve the CVE-2025-55163 with grpc-netty-shaded upgraded its version to 1.75.0
  2. Upgrade Bigtable version as well to latest 2.67.0
  3. With these changes adminClient.exists(tableName) returns error

Code example

BigtableTableAdminClient adminClient;
adminClient.exists(tableName)

Stack trace

Caused by: io.grpc.StatusRuntimeException: UNKNOWN: Channel Pipeline: [ProtocolNegotiators$PlaintextHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]
	at app//io.grpc.Status.asRuntimeException(Status.java:532)
	at app//io.grpc.stub.ClientCalls$UnaryStreamToFuture.onClose(ClientCalls.java:538)
	at app//io.grpc.PartialForwardingClientCallListener.onClose(PartialForwardingClientCallListener.java:39)
	at app//io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:23)
	at app//io.grpc.ForwardingClientCallListener$SimpleForwardingClientCallListener.onClose(ForwardingClientCallListener.java:40)
	at app//com.google.api.gax.grpc.ChannelPool$ReleasingClientCall$1.onClose(ChannelPool.java:569)
	at app//io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:564)
	at app//io.grpc.internal.ClientCallImpl.access$100(ClientCallImpl.java:72)
	at app//io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:729)
	at app//io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:710)
	at app//io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
	at app//io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
	... 3 more
Caused by: java.lang.NoSuchFieldError: ATTR_AUTHORITY_VERIFIER
	at io.grpc.netty.shaded.io.grpc.netty.ProtocolNegotiators$PlaintextHandler.protocolNegotiationEventTriggered(ProtocolNegotiators.java:1062)
	at io.grpc.netty.shaded.io.grpc.netty.ProtocolNegotiators$ProtocolNegotiationHandler.userEventTriggered(ProtocolNegotiators.java:1154)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:398)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:376)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:368)
	at io.grpc.netty.shaded.io.grpc.netty.ProtocolNegotiators$ProtocolNegotiationHandler.fireProtocolNegotiationEvent(ProtocolNegotiators.java:1183)
	at io.grpc.netty.shaded.io.grpc.netty.ProtocolNegotiators$WaitUntilActiveHandler.channelActive(ProtocolNegotiators.java:1087)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:260)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:238)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:231)
	at io.grpc.netty.shaded.io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1345)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:258)
	at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:238)
	at io.grpc.netty.shaded.io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:844)
	at io.grpc.netty.shaded.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.fulfillConnectPromise(AbstractEpollChannel.java:663)
	at io.grpc.netty.shaded.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.finishConnect(AbstractEpollChannel.java:696)
	at io.grpc.netty.shaded.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.epollOutReady(AbstractEpollChannel.java:567)
	at io.grpc.netty.shaded.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:491)
	at io.grpc.netty.shaded.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
	at io.grpc.netty.shaded.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.grpc.netty.shaded.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.grpc.netty.shaded.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	... 1 more

Any additional information below

We would request you to release the latest version of Big Table that do not have any vulnerability in grpc-netty-shaded.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    api: bigtableIssues related to the googleapis/java-bigtable API.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions