Skip to content

Fix Security Vulnerabilities in Search Service

Charles Zipprequested to merge
fix/security-vulnerabilities into master

Summary

This PR addresses security vulnerabilities in the community Search Service by updating dependencies and applying targeted overrides where necessary.

Vulnerabilities Fixed

1. Netty Codec Vulnerabilities (HIGH SEVERITY)

  • CVEs: CVE-2025-58056, CVE-2025-58057, CVE-2025-55163
  • Resolution: Fixed via Spring Boot 3.4.10 upgrade

2. Apache Commons Lang3 Vulnerability (MEDIUM SEVERITY)

  • CVE: CVE-2025-48924
  • Resolution: Explicit override to version 3.18.0

Changes Made

pom.xml (Root)

  • Upgraded spring-boot.version: 3.3.7 → 3.4.10
  • Added commons-lang3 3.18.0 override in dependencies section

Dependency Resolution

The Spring Boot 3.4.10 upgrade resolves the Netty vulnerabilities:

  • Netty components are now at 4.1.127.Final

The commons-lang3 override is required at the service level because Spring Boot 3.4.10 includes version 3.17.0, which is still vulnerable. This override can be removed once Spring Boot updates to commons-lang3 3.18.0 or later.

Notes

  • The commons-lang3 override is applied at the root POM level for comprehensive coverage
  • The override comment clearly indicates when it can be removed (when Spring Boot updates to 3.18.0+)

Merge request reports