fix: bump io.netty:netty-codec to 4.1.133.Final (CVE-2026-42583)

[evervault-dependencies]

Linear issue

COM-1223

Summary

Bumps the forced version of io.netty:netty-codec from 4.1.125.Final to 4.1.133.Final to remediate CVE-2026-42583 (HIGH, CVSS 7.5).

This aligns netty-codec with the already-pinned netty-codec-http / netty-codec-http2 (4.1.133.Final).

CVE details

CVE-2026-42583 — io.netty:netty-codec Lz4FrameDecoder unbounded pre-allocation

• Severity: HIGH
• CVSS: 7.5
• SLA Deadline: 2026-06-25T17:36:09.485Z
• Affected package: io.netty:netty-codec <= 4.1.132.Final
• Fixed in: 4.1.133.Final

Lz4FrameDecoder trusts the attacker-controlled decompressedLength header (up to 32 MB) and calls ctx.alloc().buffer(decompressedLength, decompressedLength) before decompressing — so a 22-byte frame can force a 32 MB allocation, enabling a memory exhaustion DoS.

Real-world exposure in this codebase: very low

• No Kotlin/Java source in this repo references netty, Lz4FrameDecoder, or any compression decoder.
• The SDK's HTTP stack is Ktor + OkHttp, not Netty.
• netty-codec only appears in the gradle lockfiles under Android Gradle Plugin's Unified Test Platform configurations (_internal-unified-test-platform-*). It ships only into the local instrumentation/test toolchain, never into the published evervault-* AARs that consumers ingest.
• Even within those test configurations, Lz4FrameDecoder is not on a code path reachable from an attacker network.

Despite the low real-world exposure, the repo already follows the convention of forcing every Dependabot-flagged Netty version via resolutionStrategy.force(...), and the alert has an SLA. The currently forced version (4.1.125.Final) is vulnerable and must be bumped to the upstream fix.

Changes

• build.gradle.kts: force("io.netty:netty-codec:4.1.125.Final") → force("io.netty:netty-codec:4.1.133.Final")
• All five module gradle.lockfiles updated to pin io.netty:netty-codec:4.1.133.Final.

Upgrade risk

• Minimal. 4.1.125 → 4.1.133 is a patch-level bump within the 4.1.x line; Netty maintains binary compatibility across 4.1.x. The three other netty-codec* artifacts are already at 4.1.133.Final in this repo, so no version skew is introduced.
• Only impacts test/instrumentation classpaths; published SDK artifacts are unaffected.

References

• Advisory (Lz4FrameDecoder pre-allocation): https://github.com/netty/netty/security/advisories
• Fixed release: https://github.com/netty/netty/releases/tag/netty-4.1.133.Final
• Dependabot alert: https://github.com/evervault/evervault-android/security/dependabot/22

[changeset-bot]

🦋 Changeset detected

Latest commit: b9e798d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
evervault-android	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: maven io.netty:netty-codec is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: evervault-cages/gradle.lockfile → maven/io.netty/netty-codec-http2@4.1.133.Final → maven/io.netty/netty-codec@4.1.133.Final ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/io.netty/netty-codec@4.1.133.Final. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: maven io.netty:netty-codec is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: evervault-cages/gradle.lockfile → maven/io.netty/netty-codec-http2@4.1.133.Final → maven/io.netty/netty-codec@4.1.133.Final ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/io.netty/netty-codec@4.1.133.Final. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report