Fix Security Vulnerabilities in Indexer-Queue Service (!463) · Merge requests · OSDU / OSDU Data Platform / System / Indexer Queue · GitLab

Summary

This PR addresses security vulnerabilities in the community Indexer-Queue service by updating dependencies to their secure versions.

Vulnerabilities Fixed

1. Netty Codec Vulnerabilities (HIGH SEVERITY)

CVEs: CVE-2025-58056, CVE-2025-58057, CVE-2025-55163
Resolution: Fixed via Spring Boot 3.4.10 upgrade

2. Apache Commons Lang3 Vulnerability (MEDIUM SEVERITY)

CVE: CVE-2025-48924
Previous Version: 3.9
Fixed Version: 3.18.0

3. Nimbus JOSE JWT Vulnerability (MEDIUM SEVERITY)

CVE: CVE-2025-53864
Previous Version: 9.47 (in Azure enqueue module)
Fixed Version: 10.0.2

4. Reactor Netty HTTP Vulnerability (MEDIUM SEVERITY)

CVE: CVE-2025-22227
Resolution: Fixed via Spring Boot 3.4.10

Changes Made

pom.xml (Root)

Upgraded spring-boot.version: 3.3.7 → 3.4.10
Updated commons-lang3 from 3.9 to 3.18.0 with security comment

indexer-queue-azure-enqueue/pom.xml

Updated nimbus-jose.version: 9.47 → 10.0.2

Dependency Resolution

The Spring Boot 3.4.10 upgrade provides:

Netty components at 4.1.127.Final
Reactor Netty HTTP at 1.2.8

The commons-lang3 override is explicitly set to 3.18.0 to fix the vulnerability, as Spring Boot 3.4.10 still includes 3.17.0.

Notes

The commons-lang3 override can be removed when Spring Boot updates to 3.18.0 or later
The nimbus-jose-jwt update in the Azure enqueue module addresses the specific vulnerability

Edited Oct 03, 2025 by Charles Zipp