chore(deps): Security dependency remediation - Spring Boot 3.5.8 and library updates

Summary

Security vulnerability scan identified 201 vulnerabilities in the storage service dependencies. This issue tracks the remediation effort to update dependencies and align with the December 2025 platform-wide OSDU library releases.

Security Scan Results

Severity	Count	Key Issues
CRITICAL	5	Tomcat RCE (CVE-2025-24813), Tika XXE (CVE-2025-66516)
HIGH	89	Auth bypass, Netty DoS, json-smart DoS
MEDIUM	107	Path traversal, DoS vectors

Dependencies

This work depends on the following library releases:

• os-core-common 4.0.0 - Released with Spring Boot 3.5.8, Netty 4.1.128.Final, Logback 1.5.21
• os-core-lib-azure 2.3.0 - Released with Spring 6.2.14, nimbus-jose-jwt 10.6, lettuce 6.8.1

Proposed Changes

storage/pom.xml

<properties>
  <!-- OSDU Versions -->
  <os-core-common.version>4.0.0</os-core-common.version>

  <!-- Spring Versions -->
  <spring-boot.version>3.5.8</spring-boot.version>
  <spring-security.version>6.5.7</spring-security.version>
  <spring-framework-version>6.2.14</spring-framework-version>

  <!-- Project Versions -->
  <json-smart.version>2.6.0</json-smart.version>
  <openapi.version>2.8.6</openapi.version>
  <lombok.version>1.18.42</lombok.version>
  <netty.version>4.1.128.Final</netty.version>
  <commons-codec.version>1.17.1</commons-codec.version>

  <!-- Plugin Versions -->
  <spring-boot-maven-plugin.version>3.5.8</spring-boot-maven-plugin.version>
</properties>

storage-core/pom.xml

<!-- Updated surefire plugin for Spring Boot 3.5.x compatibility -->
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-surefire-plugin</artifactId>
  <version>3.5.4</version>
</plugin>

CVEs Addressed

Via Spring Boot 3.5.8

• CVE-2025-24813 (CRITICAL): Tomcat RCE
• CVE-2025-22235 (HIGH): Spring Boot security bypass

Via Spring Security 6.5.7

• CVE-2025-41248 (HIGH): Authorization bypass on generic types
• CVE-2025-22228 (HIGH): BCrypt password bypass (>72 char passwords)

Via Spring Framework 6.2.14

• CVE-2025-41249 (HIGH): Authorization bypass via annotation detection
• CVE-2025-41242 (HIGH): WebMVC path traversal

Via Netty 4.1.128.Final

• CVE-2025-24970 (HIGH): SSL packet handling crash
• CVE-2025-58057 (HIGH): Codec DoS vulnerability

Via json-smart 2.6.0

• CVE-2024-57699 (HIGH): Stack exhaustion DoS

Validation

• All 548 unit tests passing (530 storage-core + 18 storage-core-plus)
• No code changes required beyond pom.xml updates and surefire plugin fix

Checklist

• os-core-common 4.0.0 released
• os-core-lib-azure 2.3.0 released
• Update storage pom.xml with released versions
• Update storage-core pom.xml surefire plugin
• Run full test suite
• Create MR

Related

Part of platform-wide December 2025 security remediation effort:

• os-core-common !316 (closed)
• os-core-lib-azure !404 (merged)
• entitlements !871 (merged)
• partition !736 (merged)
• legal !687 (merged)