From 24c7e034eccd7a145a4b62f7b46926a1c39c0623 Mon Sep 17 00:00:00 2001
From: maximthomas <maxim.thomas@gmail.com>
Date: Fri, 17 Apr 2026 10:13:51 +0300
Subject: [PATCH] CVE-2025-58057 unbounded memory allocation in Netty's
 BrotliDecoder allows OOM via zip-bomb

---
 pom.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 784f573a4..db58f19e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -210,7 +210,7 @@
         <jetty.version>11.0.25</jetty.version>
         <grizzly-framework.version>3.0.1</grizzly-framework.version>
         <servlet-api.version>5.0.0</servlet-api.version>
-        <cassandra.version>4.19.2</cassandra.version>
+        <cassandra.version>4.19.2</cassandra.version><!--after version update, check netty version-->
         <cassandra-all.version>5.0.7</cassandra-all.version>
     </properties>
 
@@ -941,6 +941,13 @@
                         <artifactId>lz4-java</artifactId>
                     </exclusion>
                 </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>4.1.132.Final</version>
+                <type>pom</type>
+                <scope>import</scope>
             </dependency>
 		</dependencies>
 	</dependencyManagement>