chore(deps): Security dependency remediation - Spring Boot 3.5.8 and library updates

Summary

Security vulnerability scan identified 507 vulnerabilities in the legal service dependencies. This issue tracks the remediation effort to update dependencies and align with upstream OSDU library releases.

Security Scan Results

Severity	Count	Key Issues
CRITICAL	54	Tomcat RCE (CVE-2025-24813), Jackson deserialization, Netty HTTP injection
HIGH	254	Auth bypass, SnakeYAML RCE, Netty DoS, nimbus-jose-jwt DoS
MEDIUM	199	Path traversal, DoS vectors, temp file disclosure

Dependencies

This work depends on the following library releases:

os-core-common - Release with Spring Boot 3.5.8, Netty 4.1.128.Final, Logback 1.5.21
core-lib-azure - Release with Spring 6.2.14, nimbus-jose-jwt 10.6, lettuce 6.8.1

Proposed Changes

legal/pom.xml (Parent)

<properties>
  <!-- OSDU Versions -->
  <os-core-common.version>TBD</os-core-common.version>

  <!-- Spring Versions - align with libraries -->
  <spring-boot.version>3.5.8</spring-boot.version>
  <spring-security.version>6.5.7</spring-security.version>
  <spring-framework-version>6.2.14</spring-framework-version>

  <!-- Project Versions -->
  <jackson.version>2.18.3</jackson.version>
  <gson.version>2.11.0</gson.version>
  <commons-beanutils.version>1.10.1</commons-beanutils.version>
  <openapi.version>2.8.6</openapi.version>
  <resilience4jVersion>1.7.1</resilience4jVersion>
  <netty.version>4.1.128.Final</netty.version>
</properties>

Add netty-bom in dependencyManagement:

<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-bom</artifactId>
    <version>${netty.version}</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

legal/legal-core/pom.xml

<!-- Update versions -->
<commons-text.version>1.13.0</commons-text.version>
<lettuce-core.version>6.5.2.RELEASE</lettuce-core.version>

<!-- Add junit-vintage-engine for JUnit 4 compatibility -->
<dependency>
    <groupId>org.junit.vintage</groupId>
    <artifactId>junit-vintage-engine</artifactId>
    <scope>test</scope>
</dependency>

<!-- Update surefire plugin -->
<maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>

legal/provider/legal-azure/pom.xml

<properties>
  <!-- Update after library release -->
  <core-lib-azure.version>TBD</core-lib-azure.version>
  <surefire-plugin.version>3.5.2</surefire-plugin.version>
</properties>

CVEs Addressed

Via Spring Boot 3.5.8

CVE-2025-24813: Tomcat RCE
CVE-2025-22235: Spring Boot security bypass
CVE-2025-48988, CVE-2025-48989, CVE-2025-55752: Additional Tomcat fixes

Via Spring Framework 6.2.14

CVE-2025-41249: Spring Core authorization bypass
CVE-2025-41242: Spring WebMVC path traversal
CVE-2025-41234: Reflected File Download attack

Via Spring Security 6.5.7

CVE-2025-41248: Authorization bypass
CVE-2025-22228: BCrypt password bypass

Via Netty 4.1.128.Final

CVE-2019-20444: HTTP Request Smuggling (CRITICAL)
CVE-2025-24970: Native crash via SSL
CVE-2025-58057: Codec DoS
CVE-2025-55163: HTTP/2 DoS

Via core-lib-azure

CVE-2023-52428, CVE-2025-53864: nimbus-jose-jwt DoS
CVE-2024-47535: lettuce-core vulnerability
CVE-2025-22227: reactor-netty credential leak

Via os-core-common

CVE-2025-11226: Logback ACE
CVE-2025-48924: Commons Lang3 DoS

Validation

Local testing with snapshot library versions:

legal-core: 336 tests passing
legal-azure: 27 tests passing
Total: 363 tests, 0 failures

Only code change required: Added junit-vintage-engine dependency for JUnit 4 test compatibility with Spring Boot 3.5.x

Out of Scope

The following major version bumps are deferred (no security pressure):

jjwt 0.9.1 → 0.12.x (API redesign required)
PowerMock → Mockito 5.x migration
resilience4j 1.x → 2.x

Checklist

os-core-common released with security fixes
core-lib-azure released with security fixes
Update legal pom.xml with released versions
Update legal-core pom.xml
Update legal-azure pom.xml with released version
Run full test suite
Create MR

Edited Dec 09, 2025 by Daniel Scholl (MS]