Skip to content

MODINV-1321: Vert.x 4.5.23 fixing CVE-2025-67735 Netty CRLF injection #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
julianladisch merged 1 commit into from
Jan 13, 2026
Merged

MODINV-1321: Vert.x 4.5.23 fixing CVE-2025-67735 Netty CRLF injection #879

julianladisch merged 1 commit into from
Jan 13, 2026

Conversation

@julianladisch
Copy link
Contributor

@julianladisch julianladisch commented Dec 16, 2025
edited
Loading

https://folio-org.atlassian.net/browse/MODINV-1321

Fix Netty CRLF injection request smuggling

Approach

Bump Vertx from 4.5.13 to 4.5.23.

This requires to also bump mod-source-record-storage-client from
5.10.0 to 5.10.14 to get a compatible RMB version, see
https://github.com/folio-org/raml-module-builder/releases/tag/v35.4.2

In TenantApiTest#shouldNotDropSchemaWithIncorrectConnectionOptions we
need an invalid port number because the new Vertx version makes longer
lookup retries for the hostname invalid that exceeds our timeout of
10 seconds. The invalid port number immediately fails and speeds up the
test.

@julianladisch julianladisch requested a review from a team December 16, 2025 17:04
@julianladisch julianladisch marked this pull request as draft December 17, 2025 11:47
@julianladisch
MODINV-1321: Vert.x 4.5.23 fixing CVE-2025-67735 Netty CRLF injection
d03cb26 
https://folio-org.atlassian.net/browse/MODINV-1321

Fix Netty CRLF injection request smuggling

* CVE-2025-67735 GHSA-84h7-rjj3-6jx4

Approach

Bump Vertx from 4.5.13 to 4.5.23.

This requires to also bump mod-source-record-storage-client from
5.10.0 to 5.10.14 to get a compatible RMB version, see
https://github.com/folio-org/raml-module-builder/releases/tag/v35.4.2

In TenantApiTest#shouldNotDropSchemaWithIncorrectConnectionOptions we
need an invalid port number because the new Vertx version makes longer
lookup retries for the hostname `invalid` that exceeds our timeout of
10 seconds. The invalid port number immediately fails and speeds up the
test.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 11, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@julianladisch julianladisch marked this pull request as ready for review January 11, 2026 11:27
@julianladisch julianladisch requested review from a team and Aliaksandr-Fedasiuk January 11, 2026 11:27
@julianladisch julianladisch merged commit cc4802a into master Jan 13, 2026
6 checks passed
@julianladisch julianladisch deleted the MODINV-1321 branch January 13, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aliaksandr-Fedasiuk Aliaksandr-Fedasiuk Aliaksandr-Fedasiuk approved these changes

@KaterynaSenchenko KaterynaSenchenko KaterynaSenchenko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@julianladisch @Aliaksandr-Fedasiuk @KaterynaSenchenko