Hello,
We were conducting a security review and identified that recent releases of Openfire are using Netty version 4.1.118.Final, as confirmed in the project’s pom.xml file.
This version of Netty is known to be vulnerable to at least two publicly disclosed CVEs:
-
CVE-2025-58056 (High Severity - HTTP Request Smuggling)
-
CVE-2025-58057 (High Severity - Denial of Service via Compression)
Both of these vulnerabilities are officially patched in Netty version 4.1.125.Final.
Would it be possible to update this core dependency in a future release to mitigate these security risks?