firebase-admin-java icon indicating copy to clipboard operation
firebase-admin-java copied to clipboard
verified publisher icon firebase

[FR] Vulnerabilities in netty CVE-2025-58056, CVE-2025-58057

Open synaos-bwi opened this issue 2 months ago • 1 comments

Is your feature request related to a problem? Please describe. Firebase Admin is using netty version 4.1.124.Final which has the vulnerabilities CVE-2025-58056 and CVE-2025-58057. The issues are solved with 4.1.126.Final (https://netty.io/news/2025/09/03/4-1-126-Final.html), a 127.Final also exists.

Describe the solution you'd like I'd like updates to the dependency to at least 4.1.126.Final, so that we can remove our manual version override.

synaos-bwi avatar Oct 08 '25 06:10 synaos-bwi

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Oct 08 '25 06:10 google-oss-bot

is this still valid? it seems like firebase-admin is using netty 4.2.x for some time now.

ansf avatar Dec 16 '25 14:12 ansf

I just checked the latest release v9.7.0 and we are on <netty.version>4.2.6.Final</netty.version>. I am going to close this issue. Please open a new one if you still have problems. Thanks!

lahirumaramba avatar Dec 16 '25 16:12 lahirumaramba