Consider Upgrading Netty to 4.1.118.Final Due to CVE-2025-24970

[CPogX]

CVE-2025-24970 is coming high in my security scans.

Please consider upgrading Netty version to 4.1.118.Final. Not a big deal as I can just specify the netty version in my java project, but I wanted to try the karate-npm and the -all jar it tries to pull is quarantined on my end.

https://nvd.nist.gov/vuln/detail/CVE-2025-24970
GHSA-4g8c-wm8x-jfhw

[ptrthomas]

attempted 98469ec to move to latest available armeria that is supposed to pull in netty 4.2.4.Final.

not sure, but karate 1.5.2.RC5 may be already using a newer netty

[rkchunduri]

@ptrthomas is it 1.5.2.RC5 or 1.5.2.RC2? I am not seeing the 1.5.2.RC5 tag any where in the repo. Please help.

[ptrthomas]

@rkchunduri maven https://central.sonatype.com/artifact/io.karatelabs/karate-core/versions

[CPogX]

My apologies for not following up on my own issue. The 1.5.2.RC5 is the one I was using that had the quarantined version of netty. It should be upgraded once the new versions are released(no rush). You can mark this as fixed or whatever is appropriate on your end. Thank you very much.

[ptrthomas]

@CPogX just released 1.5.2.RC6 and I think it resolves everything.
if you can confirm, I'll release 1.5.2 final ASAP