kafka-connect: subject to CVE-2025-55163 #14983
Description
Apache Iceberg version
1.10.1 (latest release)
Query engine
Kafka Connect
Please describe the bug 🐞
When building the Kafka Connect connector as part of hopefully getting it onto Confluent Marketplace (neé Confluent Hub), the vuln scanner reports CVE-2025-55163
$ trivy rootfs --severity HIGH,CRITICAL kafka-connect/kafka-connect-runtime/build/distributions/
[…]
┌──────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ io.grpc:grpc-netty-shaded (grpc-netty-shaded-1.71.0.jar) │ CVE-2025-55163 │ HIGH │ fixed │ 1.71.0 │ 1.75.0 │ netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS │
│ │ │ │ │ │ │ Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-55163 │
└──────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
Willingness to contribute
- I can contribute a fix for this bug independently
- I would be willing to contribute a fix for this bug with guidance from the Iceberg community
- I cannot contribute a fix for this bug at this time