Skip to content

[Snyk] Security upgrade io.vertx:vertx-rx-java from 3.5.2 to 4.5.23 #784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
officialmofabs wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade io.vertx:vertx-rx-java from 3.5.2 to 4.5.23 #784

officialmofabs wants to merge 1 commit into from

Conversation

@officialmofabs
Copy link

@officialmofabs officialmofabs commented Dec 21, 2025

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • samples/client/petstore/java/vertx-no-nullable/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
medium severity CRLF Injection
SNYK-JAVA-IONETTY-14423947		   631   io.vertx:vertx-rx-java:
3.5.2 -> 4.5.23
Major version upgrade No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 CRLF Injection

@snyk-bot
fix: samples/client/petstore/java/vertx-no-nullable/pom.xml to reduce…
915b22f 
… vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-14423947
@socket-security
Copy link

socket-security bot commented Dec 21, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedmaven/​org.springframework.security.oauth/​spring-security-oauth2@​2.0.14.RELEASE362590100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-web@​1.5.6.RELEASE1002590100100
Addedmaven/​org.jolokia/​jolokia-core@​1.3.7367890100100
Addedmaven/​org.junit.support/​testng-engine@​1.0.5361008910070
Addedmaven/​org.springframework/​spring-core@​5.3.2936859010080
Addedmaven/​org.junit.jupiter/​junit-jupiter-params@​5.10.0361009010070
Addedmaven/​org.springframework/​spring-context@​5.3.2936989010080
Addedmaven/​org.spockframework/​spock-core@​2.0-groovy-3.03610090100100
Addedmaven/​org.mockito/​mockito-core@​4.10.03610090100100
Addedmaven/​org.springframework/​spring-jdbc@​4.3.10.RELEASE3610090100100
Addedmaven/​org.springframework/​spring-test@​4.3.10.RELEASE361009010080
Addedmaven/​org.threeten/​threetenbp@​1.4.05110090100100
Addedmaven/​org.jetbrains.kotlin/​kotlin-script-util@​1.6.216510089100100
Addedmaven/​org.springframework.boot/​spring-boot@​2.7.156885100100100
Addedmaven/​org.springframework.boot/​spring-boot-autoconfigure@​2.7.1571100100100100
Addedmaven/​org.slf4j/​slf4j-api@​1.7.258910090100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-test@​1.5.6.RELEASE10010089100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-security@​1.5.6.RELEASE10010089100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-remote-shell@​1.5.6.RELEASE10010089100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-jetty@​1.5.6.RELEASE10010089100100
Addedmaven/​org.junit.platform/​junit-platform-runner@​1.10.0931008910070
Addedmaven/​org.tomitribe/​tomitribe-http-signatures@​1.49310089100100
Addedmaven/​org.springframework.boot/​spring-boot-starter-actuator@​1.5.6.RELEASE10010090100100
Addedmaven/​org.openapitools/​jackson-databind-nullable@​0.2.19710090100100
Addedmaven/​org.slf4j/​slf4j-ext@​1.7.369410090100100
Addedmaven/​org.junit.jupiter/​junit-jupiter@​5.10.01001009010070

View full report

@socket-security
Copy link

socket-security bot commented Dec 21, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Remote Code Execution in Spring Framework in maven org.springframework.boot:spring-boot-starter-web

CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL)

Affected versions: < 2.5.12; >= 2.6.0 < 2.6.6

Patched version: 2.5.12

From: samples/server/petstore/java-pkmst/pom.xmlmaven/org.springframework.boot/spring-boot-starter-web@1.5.6.RELEASE

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.springframework.boot/spring-boot-starter-web@1.5.6.RELEASE. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Spring Security OAuth vulnerable to remote code execution (RCE) in maven org.springframework.security.oauth:spring-security-oauth2

CVE: GHSA-rrpm-pj7p-7j9q Spring Security OAuth vulnerable to remote code execution (RCE) (CRITICAL)

Affected versions: >= 2.3.0 < 2.3.3; >= 2.2.0 < 2.2.2; >= 2.1.0 < 2.1.2; >= 2.0.0 < 2.0.15; >= 1.0.0 <= 1.0.5

Patched version: 2.0.15

From: samples/server/petstore/java-pkmst/pom.xmlmaven/org.springframework.security.oauth/spring-security-oauth2@2.0.14.RELEASE

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.springframework.security.oauth/spring-security-oauth2@2.0.14.RELEASE. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Pivotal Spring Framework contains unsafe Java deserialization methods in maven org.springframework:spring-web

CVE: GHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methods (CRITICAL)

Affected versions: < 6.0.0

Patched version: 6.0.0

From: pom.xmlmaven/org.springframework.boot/spring-boot-starter-web@1.5.6.RELEASEmaven/org.springframework/spring-web@5.3.29

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.springframework/spring-web@5.3.29. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@openhands-ai
Copy link

openhands-ai bot commented Dec 21, 2025

Looks like there are a few issues preventing this PR from being merged!

  • GitHub Actions are failing:
    • Linux tests
    • Samples Java Client JDK11
    • Windows tests
    • OpenAPI Generator
    • .github/workflows/samples-r.yaml
    • Samples Java Client JDK11

If you'd like me to help, just leave a comment, like

@OpenHands please fix the failing actions on PR #784 at branch `snyk-fix-060428a5a58637a5dcb8a24d644cea4a`

Feel free to include any additional details that might help me get this PR into a better state.

You can manage your notification settings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@officialmofabs @snyk-bot