Did I get your attention with a sensational subject? Here is the trick, avoid netty-all.
If you depend on netty transport: mvn org.owasp:dependency-check-maven:check > /tmp/hadoop-deps.txt ------------------------------------------- [INFO] Writing HTML report to: /home/edward/hadoop/hadoop-common-project/hadoop-common/target/dependency-check-report.html [WARNING] One or more dependencies were identified with known vulnerabilities in Apache Hadoop Common: netty-transport-4.1.127.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.127:*:*:*:*:*:*:*) : CVE-2025-67735 protobuf-java-2.5.0.jar (pkg:maven/com.google.protobuf/[email protected], cpe:2.3:a:google:protobuf-java:2.5.0:*:*:*:*:*:*:*) : CVE-2024-7254, CVE-2022-3171, CVE-2021-22569 -------------------------- Ok fine it complaints about netty transport, what can you do if you are really using it? What if you include netty-all? ------------------------------- One or more dependencies were identified with known vulnerabilities in Apache Hadoop NFS: [INFO] Writing HTML report to: /home/edward/hadoop/hadoop-common-project/hadoop-nfs/target/dependency-check-report.html [WARNING] One or more dependencies were identified with known vulnerabilities in Apache Hadoop NFS: netty-codec-memcache-4.1.127.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:memcache_project:memcache:4.1.127:*:*:*:*:*:*:*, cpe:2.3:a:netty:netty:4.1.127:*:*:*:*:*:*:*) : CVE-2025-67735 netty-codec-mqtt-4.1.127.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:mqtt:mqtt:4.1.127:*:*:*:*:*:*:*, cpe:2.3:a:netty:netty:4.1.127:*:*:*:*:*:*:*) : CVE-2025-67735 netty-transport-4.1.127.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.127:*:*:*:*:*:*:*) : CVE-2025-67735 ------------------------------------------ You tend to get multiple unrelated vulnerabilities. (I doubt Hadoop NFS is doing edge computing on mqtt devices) :) As it turns out the dependency is not used at all as far as I can tell. https://github.com/apache/hadoop/pull/8187/files I usually put netty-all in my "enforcer plugin" as a way to avoid it sneaking in and then creating N vulnerabilities in the near future! Cheers
