grpc-java is not vulnerable to Netty CVE-2025-24970

[Eric Anderson]

Netty published a security advisory of a crash in SslHandler. grpc-java's usage of Netty uses newEngine() for both client and server, so is not vulnerable. This means grpc-netty and grpc-netty-shaded are not vulnerable. I looked at recent and ancient history and believe no grpc-java version to be vulnerable (e.g., an old commit from 2015 was using newEngine()).

Good dependency hygiene would still dictate upgrading io.netty if it is in your dependency tree.