NO-TICKET/[agent-vuln-fix] Upgrade netty 4.1.133.Final -> 4.2.13.Final (CVE-2026-42582)

[suresh-prakash]

Security Fix: Upgrade Netty to Resolve CVE-2026-42582

What Changed

Updated netty version in gradle/libs.versions.toml:

• Before: netty = "4.1.133.Final"
• After: netty = "4.2.13.Final"

Vulnerability

Dependency	Old Version	New Version	CVE	CVSS
io.netty:netty-* (all modules)	4.1.133.Final	4.2.13.Final	CVE-2026-42582	8.8 (HIGH)

Why This Version

• NVD fix version: 4.2.13.Final (verified available in Maven Central)
• Minimum safe version: Selected as the lowest release resolving the CVE

Cascade Chain

Traceableai/api-anomaly-detection -> traceable-bom -> Hypertrace/hypertrace-bom (this repo)

Companion PRs:

• traceable-bom: https://github.com/Traceableai/traceable-bom/pull/10302

Verification

• Triggered by scan of: Traceableai/api-anomaly-detection
• OWASP scan run: https://github.com/Traceableai/testagenticflowvuln/actions/runs/27613698463
• Force resolutions validated that upgrading to 4.2.13.Final resolves CVE-2026-42582

Test Plan

• Build succeeds in this BOM repository
• traceable-bom and downstream services build successfully with updated chain

---

Generated with Claude Code - Autonomous Vulnerability Remediation

[aaron-steinfeld]

keep it 4.1.x please

[suresh-prakash]

Closing — this upgrade was incorrect. CVE-2026-42582 (GHSA-2c5c-chwr-9hqw) only affects io.netty:netty-codec-http3 in the 4.2.x range (>= 4.2.0, <= 4.2.12). The current 4.1.133.Final is not affected — the OWASP scan was a false positive misattributing the 4.2.x CVE to the 4.1.x artifacts. No change needed.