Upgrade Jetty to 12.0.32 and Netty to 4.1.129.Final to fix CVE-2025-5115, CVE-2026-1605, and CVE-2025-67735

[lfurman]

Motivation

This PR upgrades Jetty and Netty to fix HIGH and MEDIUM severity CVEs
found in transitive dependencies.

CVEs Fixed

CVE	Severity	Library	Before	After
CVE-2025-5115	HIGH	jetty-http2-common	12.0.20	12.0.32
CVE-2026-1605	HIGH	jetty-server	12.0.20	12.0.32
CVE-2025-67735	MEDIUM	netty-codec-http	4.1.126.Final	4.1.129.Final
CVE-2025-11226	MEDIUM	logback-core/classic	already 1.5.19	no change
CVE-2025-7962	MEDIUM	angus:smtp	not in tree	no change

Changes

pom.xml (root)

• Bump netty.version from 4.1.126.Final to 4.1.129.Final
• Add jetty.version property set to 12.0.32
• Add Jetty artifacts to <dependencyManagement> to force transitive
  upgrade:
  • jetty-server, jetty-http, jetty-io, jetty-util
  • jetty-http2-common, jetty-http2-server
  • jetty-websocket-jetty-server
  • jetty-ee10-websocket-jetty-server

examples/pom.xml

• Add same Jetty and Netty overrides independently in a new
  <dependencyManagement> block.
• Required because examples/pom.xml inherits from org.apache:apache:23
  and not from james-project root, so root fixes are invisible here.

Verification

mvn dependency:tree > /tmp/final-tree.txt 2>&1

echo "=== JETTY CVE-2025-5115 jetty-http2-common old 12.0.20 (should be empty) ===" && grep -q ":jetty-http2-common:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY CVE-2025-5115 jetty-http2-common new 12.0.32 (should have hits) ===" && grep -q ":jetty-http2-common:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY CVE-2026-1605 jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY CVE-2026-1605 jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY jetty-websocket-jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY jetty-websocket-jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY jetty-ee10-websocket-jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY jetty-ee10-websocket-jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== NETTY CVE-2025-67735 netty-codec-http old 4.1.126 (should be empty) ===" && grep -q "netty-codec-http:jar:4.1.126" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== NETTY CVE-2025-67735 netty-codec-http new 4.1.129 (should have hits) ===" && grep -q "netty-codec-http:jar:4.1.129" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== LOGBACK CVE-2025-11226 old 1.5.18 (should be empty) ===" && grep -q "logback.*jar:1.5.18" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== LOGBACK CVE-2025-11226 new 1.5.19 (should have hits) ===" && grep -q "logback.*jar:1.5.19" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== ANGUS SMTP CVE-2025-7962 (should be empty — not in tree) ===" && grep -q "angus.*smtp" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ Not present in tree — expected"

[chibenwa]

Please drop the Netty version from here: this is a sensible topic as we need alignement with

• s3 driver
• cassandra driver
• reactor-netty
• We can not just flip the netty jar alone without risking some subtle bugs and try our best to align

We likely shall wait a few days that reactor-netty pushes a 4.2.17 versions that align and pick a compatible version of the S3 driver too, it releases quite frequently. We can likely force the dependency for Cassandra - we already do it.

[chibenwa]

Are we sure it do not break spark java ?

[chibenwa]

I think we shall upgrade https://mvnrepository.com/artifact/org.zoomba-lang/spark-core/3.0.4 rather than forcing the version of the jetty transitive dependency.

[lfurman]

Thank you for your comment. Yes, I will test the upgrade to spark-core 3.04 locally and then will only include those changes in the current PR. I'll also create a different PR for the netty upgrade of S3 driver and cassandra once the refactor version becomes available.

[chibenwa]

Thanks a lot!

The netty upgrade is likely tricky as reactor-netty seems to adopt netty 4.2.x while the rest of our dependencies actually relies on Netty 4.1.x. This could make the upgrade more complex, potentially requiring approaches like shading (although that comes with its own drawbacks).

The spark-core upgrade is however likely easy and could be done straight away...

:-(

[chibenwa]

Thanks for raising the topic.

I believe that we shall have 2 PRs, one for Jetty where we rather bump the spark core dependency, one for Netty where we do a coordinated upgrade of the dependencies that uses netty.

Would this make sense to you?

[Arsnael]

I don't think those additions are necessary in examples/pom.xml

[lfurman]

Thank you for the comment, sounds good. I'll delete and retest the build and check the dependency tree again.