Fix Security Vulnerabilities in Indexer Service
Summary
This PR addresses security vulnerabilities in the community Indexer Service by updating dependencies and applying necessary overrides.
Vulnerabilities Fixed
1. Netty Codec Vulnerabilities (HIGH SEVERITY)
- CVEs: CVE-2025-58056, CVE-2025-58057, CVE-2025-55163
- Resolution: Fixed via Spring Boot 3.4.10 upgrade
2. Apache Commons Lang3 Vulnerability (MEDIUM SEVERITY)
- CVE: CVE-2025-48924
- Resolution: Explicit override to version 3.18.0
Changes Made
pom.xml (Root)
- Upgraded
spring.boot.version: 3.3.11 → 3.4.10 - Removed explicit
netty.versionproperty (now managed by Spring Boot) - Added commons-lang3 3.18.0 override in dependencies section
Dependency Resolution
The Spring Boot 3.4.10 upgrade provides:
- Netty components at 4.1.127.Final (fixes all Netty CVEs)
- Updated transitive dependencies
The commons-lang3 override is required because Spring Boot 3.4.10 includes version 3.17.0, which is still vulnerable.
Notes
- Removed the explicit netty.version property as Spring Boot now manages the correct version
- The commons-lang3 override can be removed when Spring Boot updates to 3.18.0 or later
Edited by Charles Zipp