You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Kafka Connect runtime distribution bundles several io.netty jars at versions affected by six HIGH-severity CVEs (five distinct CVE IDs; CVE-2026-42587 affects two jars). All findings share the same root cause — netty is pulled in transitively, not declared directly by Iceberg — and are fixed by the same upstream release line. They are reported as a single issue because a single dependency bump (or constraint) will resolve all of them.
Netty 4.1.133.Final and 4.2.13.Final were both released on 2026-05-04 and are available on Maven Central.
Reproducing
Build the Kafka Connect runtime distribution and scan with Trivy:
# Build from main
./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest
# Unzip the distribution
unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip -d /tmp/iceberg-kc-scan
# Scan with Trivy (use rootfs mode for standalone JAR detection)
trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-*/lib/ -s HIGH,CRITICAL --scanners vuln
These findings are also reported by the Kafka Connect CVE Scan workflow added in #15430; see, for example, this run.
Note
This analysis was performed with the assistance of Claude Opus 4.7 (Anthropic).
Summary
The Kafka Connect runtime distribution bundles several
io.nettyjars at versions affected by six HIGH-severity CVEs (five distinct CVE IDs; CVE-2026-42587 affects two jars). All findings share the same root cause — netty is pulled in transitively, not declared directly by Iceberg — and are fixed by the same upstream release line. They are reported as a single issue because a single dependency bump (or constraint) will resolve all of them.Lz4FrameDecoderresource exhaustionio.netty:netty-codec(4.1.132.Final)4.1.133.Finalio.netty:netty-codec-dns(4.1.128.Final)4.1.133.Final,4.2.13.FinalHttpClientCodecresponse desynchronizationio.netty:netty-codec-http(4.1.132.Final)4.1.133.Final,4.2.13.FinalHttpContentDecompressormaxAllocationbypass (br/zstd/snappy decompression-bomb DoS)io.netty:netty-codec-http(4.1.132.Final)4.1.133.Final,4.2.13.Finalio.netty:netty-codec-http2(4.1.132.Final)4.1.133.Final,4.2.13.Finalio.netty:netty-transport-native-epoll(4.1.130.Final)4.2.13.FinalNetty
4.1.133.Finaland4.2.13.Finalwere both released on 2026-05-04 and are available on Maven Central.Reproducing
Build the Kafka Connect runtime distribution and scan with Trivy:
These findings are also reported by the Kafka Connect CVE Scan workflow added in #15430; see, for example, this run.
Note
This analysis was performed with the assistance of Claude Opus 4.7 (Anthropic).