We are extremely pleased to announce that Eclipse Vert.x version 4.3.7 has been released.

Since the release of Vert.x 4.3.6, quite a few bugs have been reported. We would like to thank you all for reporting these issues.

This release updates to Netty-4.1.86.Final which fixes two CVEs

• CVE-2022-41881
• CVE-2022-41915

Vert.x is immune to CVE-2022-41915, as the class mentioned is used for HTTP server request and HTTP client response, thus is not used to write headers to an outbound endpoint, instead it is used to receive HTTP headers from the remote endpoint.

Vert.x is sensitive to CVE-2022-41881 if a TCP server is configured to receive HA proxy traffic: the server can receive a crafted HA proxy prefix that throws a stack trace overflow, which is caught by the Vert.x server and the TCP connection remains as is in the server, causing an potential exhaustion of resources. It can be mitigated with a timeout, set on the server options, e.g. options.setProxyProtocolTimeout(10) which closes the connection after 10 seconds. We also advise to expose such server only to a trusted HA proxy instance and not in the wild, in addition we recommend to always set up a timeout.

The 4.3.7 release notes can be found on the wiki.

You can bootstrap a Vert.x 4 project using start.vertx.io.

You can try virtual thread support with our incubation project.

The release artifacts have been deployed to Maven Central and you can get the distribution on Maven Central.

The Vert.x 4 eventbus JavaScript client library is now available in a single location and it now usable standalone or it can easily be integrated with any frontend build tool.

The Vert.x distribution is available from SDKMan and our HomeBrew TAP.

Docker images are available on Docker Hub.

That’s it! Happy coding and see you soon on our user or dev channels.