From 70da7973446e901b9782dbf7bc41fba8455f27b8 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Tue, 31 Mar 2026 11:54:27 +1100
Subject: [PATCH 1/4] Upgrade Netty to 4.1.132.Final to fix CVE-2026-33870 and
 CVE-2026-33871

Add Netty BOM to dependencyManagement to override the vulnerable transitive
Netty version (~4.1.115.Final) pulled in by Vert.x 4.5.21.

- CVE-2026-33870: HTTP request smuggling via chunked extension parsing (CVSS 7.5)
- CVE-2026-33871: HTTP/2 DoS via CONTINUATION frame flood (CVSS 8.7)

See: UID2-6837

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pom.xml b/pom.xml
index 608b9eb..83259a8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -13,6 +13,7 @@
         <maven.compiler.target>21</maven.compiler.target>
         <vertx.version>4.5.21</vertx.version>
         <uid2-shared.version>11.4.0</uid2-shared.version>
+        <netty.version>4.1.132.Final</netty.version>
     </properties>
 
     <repositories>
@@ -36,6 +37,13 @@
 
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <dependency>
                 <groupId>org.junit</groupId>
                 <artifactId>junit-bom</artifactId>

From 48883a4399693d35280564e80bb39c389d75c7b2 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnammozafari007@gmail.com>
Date: Tue, 31 Mar 2026 14:35:21 +1100
Subject: [PATCH 2/4] Update uid2-shared to 11.4.16

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 83259a8..a309e19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,7 @@
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>
         <vertx.version>4.5.21</vertx.version>
-        <uid2-shared.version>11.4.0</uid2-shared.version>
+        <uid2-shared.version>11.4.16</uid2-shared.version>
         <netty.version>4.1.132.Final</netty.version>
     </properties>
 

From 8f028e7faca220e69920492f251348a5e28cd147 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnammozafari007@gmail.com>
Date: Tue, 31 Mar 2026 15:29:23 +1100
Subject: [PATCH 3/4] UID2-6837: Silence CVE-2025-67030 (plexus-utils from
 Maven base image)

---
 .trivyignore | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index 0a8aa9a..f054f51 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,3 +1,7 @@
 # List any vulnerability that are to be accepted
 # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
 # for more details
+
+# UID2-6837
+# plexus-utils directory traversal - comes from Maven installation in base image (maven:3.9.11-eclipse-temurin-21), not from our code dependencies. Not exploitable at runtime.
+CVE-2025-67030 exp:2026-05-01
\ No newline at end of file

From de8d08928031574cf5ccc6946207736e954d757b Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnammozafari007@gmail.com>
Date: Tue, 31 Mar 2026 15:31:35 +1100
Subject: [PATCH 4/4] UID2-6837: Update CVE-2025-67030 silence expiry to
 2026-10-01 (6 months)

---
 .trivyignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.trivyignore b/.trivyignore
index f054f51..7902316 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -4,4 +4,4 @@
 
 # UID2-6837
 # plexus-utils directory traversal - comes from Maven installation in base image (maven:3.9.11-eclipse-temurin-21), not from our code dependencies. Not exploitable at runtime.
-CVE-2025-67030 exp:2026-05-01
\ No newline at end of file
+CVE-2025-67030 exp:2026-10-01
\ No newline at end of file