Fix dependency vulnerabilities#342
Merged
Merged
Conversation
Patches CVE-2025-27820 (CVSS 9.1, Critical): improper URI handling allows SSRF / redirect spoofing in apache-httpclient5. Fix is in 5.4.3. This is the only Critical-severity CVE in the full backend-sdks remediation plan. Changes ------- * pom.xml: httpclient5 dependency bumped from 5.3.1 to 5.4.3. 5.3.x -> 5.4.x maintains the public API. The fixes live inside URIBuilder and redirect handling, not exposed to consumers of this SDK. Validated locally ----------------- * mvn compile: BUILD SUCCESS (334 source files). * mvn test: 179 tests, 0 failures, 0 errors, 0 skipped. * mvn package: BUILD SUCCESS (jar + sources + javadoc). Impact ------ No source files (.java) modified. Public SDK API is unchanged. Consumers receive the patched httpclient5 transitively when they update their dependency on this SDK; no code action required on their side. No breaking change. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Patches CVE-2024-47554 (CVSS 7.5, High): denial of service via disproportionate resource consumption (UncheckedIOException without bound) when processing crafted compressed archives. Fix is in 1.27.1. Changes ------- * pom.xml: commons-compress dependency bumped from 1.26.2 to 1.27.1. Validated locally ----------------- * mvn compile: BUILD SUCCESS. * mvn test: 179 tests, 0 failures, 0 errors, 0 skipped. * mvn package: BUILD SUCCESS. Impact ------ No source files (.java) modified. Patch update with stable API. Consumers receive the patched commons-compress transitively. No breaking change. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…ttpclient v4 explicitly
Audit flagged that maven-javadoc-plugin and maven-core were declared
under <dependencies> instead of <build><plugins>. That mistake had two
side effects:
1. The whole Maven internals tree leaked into the runtime classpath
(commons-configuration2, plexus-utils, etc.), inflating the attack
surface and bringing in transitive CVEs (CVE-2024-29131,
CVE-2024-29133, CVE-2022-4244, CVE-2022-4245).
2. It became the implicit provider of Apache HttpClient v4, which
MPDefaultHttpClient actually uses (36 imports of org.apache.http.*
in src/main/java). httpclient v4 was being pulled transitively
without an explicit version pin.
Changes
-------
* pom.xml: removed the <dependency> entries for maven-javadoc-plugin
3.8.0 (with its inner exclusions) and maven-core 3.9.6.
* pom.xml: added an explicit <dependency> on
org.apache.httpcomponents:httpclient:4.5.14, which is the real HTTP
client used by MPDefaultHttpClient. 4.5.14 is the latest 4.5.x
patch line and is hardened against CVE-2020-13956.
* maven-javadoc-plugin remains correctly declared in <build><plugins>
for its actual purpose (generating javadoc during the build); only
the bogus runtime-dependency declaration was removed.
No source files (.java) modified.
Validated locally
-----------------
* mvn compile: BUILD SUCCESS.
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS.
* dependency:tree confirms maven-core, maven-javadoc-plugin,
commons-configuration2 and plexus-* are out of the tree, while
httpclient 4.5.14 + httpcore 4.4.16 are now resolved as direct
dependencies.
CVEs closed
-----------
* CVE-2024-29131 / CVE-2024-29133 (commons-configuration2)
* CVE-2022-4244 / CVE-2022-4245 (plexus-utils)
* Pinning httpclient to 4.5.14 also covers CVE-2020-13956 if any
consumer was previously pulling an older 4.5.x version through
maven-core.
BREAKING CHANGE: consumers that were implicitly relying on Maven
internals being on the SDK runtime classpath (e.g. importing
commons-configuration2 or plexus-utils through this SDK without
declaring them themselves) must now declare those dependencies
directly in their own pom. This was always bad practice and the
audit recommends shipping this in the next major version.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Refreshes the JSON serialization library to a current stable minor. 2.8.9 is from 2021 and accumulated bugfixes have shipped since. gson 2.x is backward-compatible by design, so this is effectively a drop-in update. Changes ------- * pom.xml: gson dependency bumped from 2.8.9 to 2.11.0. Validated locally ----------------- * mvn compile: BUILD SUCCESS. * mvn test: 179 tests, 0 failures, 0 errors, 0 skipped. * mvn package: BUILD SUCCESS. Impact ------ No source files (.java) modified. The SDK consumes gson internally for JSON marshalling; consumers of the SDK do not see this change beyond receiving the patched library transitively. No breaking change. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Refreshes the Velocity template engine to its current stable line. 2.3 is from 2021. 2.4.x adds SSTI hardening and accumulated bugfixes. Changes ------- * pom.xml: velocity-engine-core dependency bumped from 2.3 to 2.4.1 (the existing exclusion of org.hsqldb:hsqldb is preserved). Validated locally ----------------- * mvn compile: BUILD SUCCESS. * mvn test: 179 tests, 0 failures, 0 errors, 0 skipped. * mvn package: BUILD SUCCESS. Impact ------ No source files (.java) modified. The SDK does not import any org.apache.velocity.* class in src/main/java or src/test/java (verified by grep). The behavior changes in Velocity 2.4 around UberspectImpl and context handling are therefore inert for this SDK. No breaking change. Note for a follow-up audit: both velocity-engine-core and velocity-tools-generic are declared in pom.xml but have zero usages in the SDK source tree. They are candidates for removal in a future cleanup PR; that scope is left out of this change set. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps third-party dependencies to remediate published CVEs and removes a long-standing
pom.xmlanomaly that mixed core/plugin coordinates with runtime dependencies.Changes
httpclient55.3.1 → 5.4.3 (CVE-2025-27820)commons-compress1.26.2 → 1.27.1 (CVE-2024-47554)maven-core/maven-javadoc-pluginentries from runtime deps; declarehttpclientv4 explicitly (breaking)gson2.8.9 → 2.11.0velocity-engine-core2.3 → 2.4.1Test plan