[Snyk] Security upgrade org.apache.poi:poi-ooxml from 5.2.5 to 5.4.0

[smaring]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• plugins/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Input Validation SNYK-JAVA-ORGAPACHEPOI-9685010	117	org.apache.poi:poi-ooxml: 5.2.5 -> 5.4.0 No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Input Validation

[hitachivantarasonarqube]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage
• 0.00% Duplicated Code (0.00% Estimated after merge)

Project ID: org.pentaho.di:pdi

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	org.apache.sshd:sshd-sftp:0.11.0	org.apache.mina:mina-core 2.0.7	[2.0.27] [2.1.10] [2.2.4]	CVE-2024-52046
Critical	org.apache.sshd:sshd-sftp:0.11.0	org.apache.sshd:sshd-core 0.11.0	[2.9.2]	CVE-2022-45047
Critical	org.springframework:spring-web:5.3.39	org.springframework:spring-web 5.3.39	[6.0.0]	CVE-2016-1000027
High	org.apache.sshd:sshd-sftp:0.11.0	org.apache.mina:mina-core 2.0.7	[2.0.21] [2.1.1]	CVE-2019-0231
High	org.apache.activemq:activemq-kahadb-store:5.18.4	org.apache.activemq:activemq-openwire-legacy 5.18.4	[5.16.8] [5.17.7] [5.18.7] [6.1.6]	CVE-2025-27533
High	org.apache.activemq:activemq-kahadb-store:5.18.4	org.apache.activemq:activemq-client 5.18.4	[5.16.8] [5.17.7] [5.18.7] [6.1.6]	CVE-2025-27533
High	pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT-tests pentaho-kettle:kettle-ui-swt:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:kettle-hl7-plugin-core:10.3.0.0-SNAPSHOT org.ini4j:ini4j:0.5.4 org.pentaho.di.plugins:pentaho-metastore-locator-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:aggregate-rows-core:10.3.0.0-SNAPSHOT org.pentaho.reporting.engine:classic-extensions-kettle:10.3.0.0-SNAPSHOT	org.ini4j:ini4j 0.5.4	-	CVE-2022-41404
High	pentaho-kettle:kettle-ui-swt:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:aggregate-rows-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-metastore-locator-core:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT-tests org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:kettle-hl7-plugin-core:10.3.0.0-SNAPSHOT org.pentaho.reporting.engine:classic-extensions-kettle:10.3.0.0-SNAPSHOT org.hibernate:hibernate-core:5.4.24.Final	org.hibernate:hibernate-core 5.4.24.Final	-	CVE-2026-0603
High	org.springframework:spring-core:5.3.39 pentaho-kettle:kettle-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-metastore-locator-core:10.3.0.0-SNAPSHOT pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-core:10.3.0.0-SNAPSHOT-tests pentaho-kettle:kettle-ui-swt:10.3.0.0-SNAPSHOT org.springframework:spring-test:5.3.39 org.pentaho.di.plugins:aggregate-rows-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:kettle-hl7-plugin-core:10.3.0.0-SNAPSHOT org.pentaho.reporting.engine:classic-extensions-kettle:10.3.0.0-SNAPSHOT	org.springframework:spring-core 5.3.39	[6.2.11]	CVE-2025-41249
High	io.netty:netty-codec-http:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-codec-http 4.1.108.Final	[4.1.125.Final] [4.2.5.Final]	CVE-2025-58056
High	io.netty:netty-codec:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-codec 4.1.108.Final	[4.1.125.Final]	CVE-2025-58057
High	pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-metastore-locator-core:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT-tests org.pentaho.di.plugins:aggregate-rows-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.3.0.0-SNAPSHOT com.sun.mail:javax.mail:1.6.1 org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pdi-core-plugins-impl:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-ui-swt:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:kettle-hl7-plugin-core:10.3.0.0-SNAPSHOT org.pentaho.reporting.engine:classic-extensions:10.3.0.0-SNAPSHOT	com.sun.mail:javax.mail 1.6.1	-	CVE-2025-7962
High	org.apache.kafka:kafka-clients:3.4.0	org.apache.kafka:kafka-clients 3.4.0	[3.9.1]	CVE-2025-27817
High	org.springframework.security:spring-security-core:5.8.16	org.springframework.security:spring-security-crypto 5.8.16	[5.7.16] [5.8.18] [6.0.16] [6.1.14] [6.2.10] [6.3.8] [6.4.4]	CVE-2025-22228
High	io.netty:netty-handler:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-handler 4.1.108.Final	[4.1.118.Final]	CVE-2025-24970
Medium	io.netty:netty-codec-http:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-codec-http 4.1.108.Final	[4.1.129.Final] [4.2.8.Final]	CVE-2025-67735
Medium	org.apache.jackrabbit:jackrabbit-core:2.21.19	org.apache.jackrabbit:jackrabbit-jcr-commons 2.21.19	[2.22.2]	CVE-2025-58782
Medium	org.apache.jackrabbit:jackrabbit-core:2.21.19	org.apache.jackrabbit:jackrabbit-core 2.21.19	[2.22.2]	CVE-2025-58782
Medium	org.pentaho.reporting.engine:classic-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pdi-core-plugins-impl:10.3.0.0-SNAPSHOT	org.apache.poi:poi-ooxml 5.2.5	[5.4.0]	CVE-2025-31672
Medium	io.netty:netty-codec-http:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-common 4.1.108.Final	[4.1.118.Final]	CVE-2025-25193
Medium	org.apache.kafka:kafka-clients:3.4.0	org.apache.kafka:kafka-clients 3.4.0	[3.7.1]	CVE-2024-31141
Medium	io.netty:netty-codec-http:4.1.108.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-common 4.1.108.Final	[4.1.115.Final]	CVE-2024-47535
Medium	org.springframework:spring-web:5.3.39	org.springframework:spring-web 5.3.39	[6.1.14]	CVE-2024-38820
Medium	pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT org.springframework.security:spring-security-core:5.8.16 org.springframework:spring-context:5.3.39	org.springframework:spring-context 5.3.39	[6.1.14]	CVE-2024-38820
Medium	org.eclipse.jetty:jetty-http:9.4.57.v20241219-tests	org.eclipse.jetty:jetty-http 9.4.57.v20241219-tests	[12.0.12]	CVE-2024-6763
Medium	pentaho-kettle:kettle-ui-swt:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-googledrive-vfs-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-kettle-repository-locator-impl-spoon:10.3.0.0-SNAPSHOT pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT-tests org.pentaho.di.plugins:aggregate-rows-core:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:kettle-hl7-plugin-core:10.3.0.0-SNAPSHOT org.pentaho.reporting.engine:classic-extensions-kettle:10.3.0.0-SNAPSHOT org.eclipse.jetty:jetty-server:9.4.57.v20241219 pentaho-kettle:kettle-engine:10.3.0.0-SNAPSHOT org.pentaho.di.plugins:pentaho-metastore-locator-core:10.3.0.0-SNAPSHOT	org.eclipse.jetty:jetty-http 9.4.57.v20241219	[12.0.12]	CVE-2024-6763
Medium	org.apache.activemq:artemis-junit:2.33.0	org.apache.commons:commons-configuration2 2.9.0	[2.10.1]	CVE-2024-29133
Medium	org.apache.activemq:artemis-junit:2.33.0	org.apache.commons:commons-configuration2 2.9.0	[2.10.1]	CVE-2024-29131
Medium	org.apache.sshd:sshd-sftp:0.11.0	org.apache.mina:mina-core 2.0.7	[2.0.22] [2.1.5]	CVE-2021-41973
Medium	org.apache.sshd:sshd-sftp:0.11.0	org.apache.sshd:sshd-core 0.11.0	-	CVE-2023-48795
Low	org.springframework.security:spring-security-core:5.8.16 org.springframework:spring-context:5.3.39 pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT	org.springframework:spring-context 5.3.39	[6.1.20] [6.2.7]	CVE-2025-22233

🔬 Research Details

[ CVE-2024-52046 ] org.apache.mina:mina-core 2.0.7

Description:
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process
incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows
attackers to exploit the deserialization process by sending specially crafted malicious serialized data,
potentially leading to remote code execution (RCE) attacks.

This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.

It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.

Upgrading will  not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:

/**

     * Accept class names where the supplied ClassNameMatcher matches for

 * deserialization, unless they are otherwise rejected.

 *

 * @param classNameMatcher the matcher to use

 */

public void accept(ClassNameMatcher classNameMatcher)




/**

 * Accept class names that match the supplied pattern for

 * deserialization, unless they are otherwise rejected.

 *

 * @param pattern standard Java regexp

 */

public void accept(Pattern pattern) 





/**

 * Accept the wildcard specified classes for deserialization,

 * unless they are otherwise rejected.

 *

 * @param patterns Wildcard file name patterns as defined by

 *                  {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}

 */

public void accept(String... patterns)

By defa...

[ CVE-2022-45047 ] org.apache.sshd:sshd-core 0.11.0

Description:
Apache MINA SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.

When creating a SSH server with Apache MINA SSHD, a KeyPairProvider should be set. A simple way to provide a keypair is to generate one or load one with the SimpleGeneratorHostKeyProvider class.
When SimpleGeneratorHostKeyProvider is used to load a keypair, the provided keypair is deserialized with no check of the object's class and so an attacker could provide a crafted malicious object ("Java Gadgets") that leads to code execution or other security impacts.

To exploit this issue, an attacker must find a way to upload a malicious file that the application will pass to the SimpleGeneratorHostKeyProvider class, which is unlikely to be possible.

Example of vulnerable code:

private SshServer startServer(
    FileSystem filesystem
) throws IOException {
    SshServer server = SshServer.setUpDefaultServer();
    server.setPort(port);
    server.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(new File("hostkey.ser").toPath()));
    server.setPasswordAuthenticator(this::authenticate);
    server.setSubsystemFactories(singletonList(new SftpSubsystemFactory()));
    server.setFileSystemFactory(session -> new DoNotClose(filesystem));
    server.start();
    this.server = server;
    return server;
}

An attacker controlling the hostkey.ser file can execute code.

Remediation:

Development mitigations

Generate host key file in OpenSSH format and load them replacing the use of SimpleGeneratorHostKeyProvider by FileKeyPairProvider as follows:

// To generate the KeyPair
File hostKeyFile = new File("/path/to/hostkeyfile");
OpenSSHKeyPairResourceWriter writer = new OpenSSHKeyPairResourceWriter();
writer.writeKeyPair(keypair, new FileSystemResource(hostKeyFile));

// To parse it
FileKeyPairProvider keyPairProvider = new FileKeyPairProvider(new String[]{"/path/to/hostkeyfile"});
SshServer sshServer = SshServer.setUpDefaultServer();
sshServer.setKeyPairProvider(keyPairProvider);

or use a custom implementation of SimpleGeneratorHostKeyProvider as following:

public class MySimpleGeneratorHostKeyProvider extends SimpleGeneratorHostKeyProvider {

    @Override
    protected void doInit() throws Exception {
        OpenSSHKeyPairResourceWriter writer = new OpenSSHKeyPairResourceWriter();
        KeyPair keyPair = getKeyPair();
        writer.writeKeyPair(keyPair, this);

        OpenSSHKeyPairResourceParser parser = new OpenSSHKeyPairResourceParser();
        Collection<KeyPair> keyPairs = parser.loadKeys(this);
        // Do something with the parsed key pairs...
    }
}

[ CVE-2016-1000027 ] org.springframework:spring-web 5.3.39

Description:
Spring-based applications that export service beans as endpoints using classes that extend the RemoteInvocationSerializingExporter class are vulnerable to Java deserialization attacks which could lead to RCE (Remote Code Execution). As of 2016, this vulnerability is still not fixed, as the Pivotal team (the maintainers of the Spring framework) disputed it as a security vulnerability in Spring itself and decided not to issue a fix. Instead, they deprecated HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter, the potentially vulnerable exporter classes that extend RemoteInvocationSerializingExporter and warned application developers not to use them when exposed to untrusted user input (see "WARNING" in the documentation). Applications that do not use the above classes can safely ignore this vulnerability.

Remediation:

Deployment mitigations

Do not use Java serialization for external endpoints (Do not extend the RemoteInvocationSerializingExporter class)

[ CVE-2019-0231 ] org.apache.mina:mina-core 2.0.7

Description:
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.

[ CVE-2025-27533 ] org.apache.activemq:activemq-openwire-legacy 5.18.4

Description:
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ.

During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections.
This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected.

Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.

Existing users may implement mutual TLS to mitigate the risk on affected brokers.

[ CVE-2025-27533 ] org.apache.activemq:activemq-client 5.18.4

Description:
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ.

During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections.
This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected.

Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.

Existing users may implement mutual TLS to mitigate the risk on affected brokers.

[ CVE-2022-41404 ] org.ini4j:ini4j 0.5.4

Description:
An issue in the fetch() method in the BasicProfile class of org.ini4j through version v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

[ CVE-2026-0603 ] org.hibernate:hibernate-core 5.4.24.Final

Description:
Hibernate ORM is a powerful object/relational mapping solution for Java, which allows developing persistence logic for applications, libraries, and frameworks.

[ CVE-2025-41249 ] org.springframework:spring-core 5.3.39

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Spring Security's @EnableMethodSecurity is an annotation used to enable method-level security in a Spring application. It allows you to apply security constraints directly on methods (which represent web application endpoints) using annotations such as: @PreAuthorize, @PostAuthorize and more.

The core of the vulnerability lies in how the Spring Framework's MergedAnnotations API resolves annotations on methods within a type hierarchy that uses unresolved generics. For example, if a method with a security annotation is defined in a generic interface or superclass, and its child class or interface doesn't explicitly resolve the generic type, the Spring Framework might fail to detect the annotation.

The most significant impact of this vulnerability is the potential for authorization bypass in applications that use Spring Security's @EnableMethodSecurity feature. If an application's security is based on annotations and methods in a generic class hierarchy, this flaw could cause the security check to be incorrectly skipped.

For example, a developer might place a security annotation like @PreAuthorize on a method within a generic superclass. Due to the vulnerability, a call to the overridden method in a child class could bypass the security check, allowing an unauthorized user to execute the method's logic. This can lead to a denial of service or, in a worst-case scenario, authorization bypass.

Vulnerable code example:

import org.springframework.security.access.prepost.PreAuthorize;

// 1. Generic Superinterface with a security annotation
public interface GenericService<T> {

    @PreAuthorize("hasRole('ADMIN')")
    void performAction(T data);
}

// This class implements the generic interface but leaves the generic type unresolved.
public class ChildService<T> implements GenericService<...

**Remediation:**
##### Development mitigations

Do not use security annotations on methods in generic superclasses or generic interfaces. Define the security annotations directly on the child class. Other security annotations are not vulnerable.

</details>

<details>
<summary> <b>[ CVE-2025-58056 ] io.netty:netty-codec-http 4.1.108.Final</b> </summary>
<br>


**Description:**
[Netty](https://netty.io) is an asynchronous event-driven framework for developing client and server Java applications.

HTTP Request Smuggling is a web security vulnerability where conflicting interpretations of HTTP specifications by different front-end and back-end servers can lead to request manipulation by attackers.
This type of attack can lead to the following impacts: DoS, SSRF, XXS, data leakage, cache poisoning, session manipulation, security bypass, and business logic abuse.

The HTTP protocol uses `CRLF` characters (`\r\n`) as line terminators, and it does not allow bare LF (cases where only `\n` is present, meaning partial `CRLF`) to be used in chunked encoding.
In HTTP chunked transfer encoding, the `chunk-size` is a value indicating the number of bytes in the subsequent data chunk.

Netty does not reject these bare `LF` characters, but instead allows them in a `chunk-size` line, which may lead to request smuggling under the right conditions:

1. A reverse proxy is used and allows bare `LF` characters. These characters are not interpreted  as line terminators.

2. Netty is used in the backend server (as mentioned, Netty allows bare `LF` characters and interprets them as line terminators)

With the above configuration, HTTP requests "evade" the reverse proxy and reach the backend server, where they are split due to the interpretation of the bare LF as a line terminator. Thus, the smuggled request is processed as an additional individual request.

It is important to mention that there are no known reverse proxies that fulfill the attack prerequisites (including `Nginx`, `Traefik`). Most known proxies either disallow bare LF or treat it as a line terminator.

</details>

<details>
<summary> <b>[ CVE-2025-58057 ] io.netty:netty-codec 4.1.108.Final</b> </summary>
<br>


**Description:**
[Netty](https://netty.io) is an asynchronous event-driven framework for developing client and server Java applications.

The `netty` framework offers the [io.netty.handler.codec.compression](https://netty.io/4.1/api/io/netty/handler/codec/compression/package-summary.html). This package allows users to encode/decode data using various compression formats.

Among these formats is [brotli](https://github.com/google/brotli). In the implementation of the `BrotliDecoder` class, flawed logic allows unlimited memory allocation when using the `BrotliDecoder.decode` function on untrusted input. This can lead to denial of service.

</details>

<details>
<summary> <b>[ CVE-2025-7962 ] com.sun.mail:javax.mail 1.6.1</b> </summary>
<br>


**Description:**
Jakarta Mail defines a platform-independent and protocol-independent framework to build mail and messaging applications. The API allows sending and receiving emails using standard protocols like SMTP, POP3, and IMAP, supporting both text and multimedia content.
SMTP (Simple Mail Transfer Protocol) is used to send email between clients and servers. It is a text-based protocol that uses simple commands. In the SMTP protocol, CRLF (Carriage Return and Line Feed characters) act as the command separator. 

The vulnerability allows a SMTP Injection where an attacker injects the CRLF sequence into a data field (like an email address) to prematurely terminate the current command and inject new unauthorized SMTP commands, causing the server to relay forged messages.

When the vulnerable Jakarta Mail code gets the recipient address as a Unicode String, it first converts this string into raw ASCII byte stream for the SMTP connection. 

Specifically, the flaw is in the `sendCommand()` function that transmitted the attacker's input to the mail server, with no validation that the conversion to ASCII bytes does not contain the illegal CRLF characters. 

The attacker can use a specific sequence of non-ASCII Unicode characters (e.g. CJK characters) that would get substituted into the ASCII byte codes for the CRLF, and by this smuggle also unauthorized SMTP commands

The vulnerability is exploitable in any application that uses a vulnerable Jakarta Mail version and allows an attacker to input a string that is then used as a parameter (like a recipient address) in an outgoing email command (e.g. a form in the application where an unauthenticated user can enter an email address for a confirmation or follow-up.).

The attacker can provide as input to the application a non-ASCII Unicode string, which the vulnerable library converts into the full injection payload:

1ue@qq.com>\r\nRCPT TO:phising-victim@qq.com\r\nDATA\r\nSubject:PWNED\r\n\r\nHack!\r\n.\r\nQUIT\r\n

The injected CRLF at the beginning of t...

</details>

<details>
<summary> <b>[ CVE-2025-27817 ] org.apache.kafka:kafka-clients 3.4.0</b> </summary>
<br>


**Description:**
[Apache Kafka](https://kafka.apache.org/documentation/#) is an open-source distributed event streaming platform.

Users can use the `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url` variables as part of the Kafka client (consumer) configuration file to indicate the URL where OAuth tokens should be taken from.

Attackers that can control the Kafka Client's configuration file (usually `client.properties`), can modify the `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url`  values to use the `file:///` scheme.
Due to insufficient validation, This allows attackers to leak the contents of arbitrary files in the Apache Client's file system through error logs. The issue arises when a file is attempted to be accessed via `file:///` or other unintended protocols. The unexpected content causes an exception to be raised that may reveal the contents of the file. 
In addition, similar modifications can allow attackers to force the client to make requests to unintended external servers using the `http:///` or `https:///` protocols.

Mitigation was introduced in version 3.9.1 in the form of the `org.apache.kafka.sasl.oauthbearer.allowed.urls` property. Up to version 4.0.0, it allowed all URLs by default, and since version 4.0.0, the default list of allowed URLs is empty by default.

</details>

<details>
<summary> <b>[ CVE-2025-22228 ] org.springframework.security:spring-security-crypto 5.8.16</b> </summary>
<br>


**Description:**
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

</details>

<details>
<summary> <b>[ CVE-2025-24970 ] io.netty:netty-handler 4.1.108.Final</b> </summary>
<br>


**Description:**
[Netty](https://netty.io) is an asynchronous event-driven framework for developing client and server Java applications.

It was found that `java.io.netty.handler.SslUtils.getEncryptedPacketLength` does not validate received packets properly, which may lead to malformed packets getting validated, causing a denial of service when the OpenSSL engine processes them. A potential attacker could send maliciously crafted packets where `packetLength <= headerLength` to the Netty server, which would classify them as `NOT_ENOUGH_DATA` instead of `NOT_ENCRYPTED`. The incorrect classification caused the packets to be processed as if they were valid but incomplete, which would cause a crash when the packets reached the native OpenSSL engine due to invalid length calculations.

Note: The vulnerability only affects Netty servers which run the native OpenSSL engine.

**Remediation:**
##### Development mitigations

A possible workaround to the vulnerability is opting out of using the native OpenSSL engine.
Instead of -

SslContext context = ...;
SslHandler handler = context.newHandler(....);

Use -

SslContext context = ...;
SSLEngine engine = context.newEngine(....);
SslHandler handler = new SslHandler(engine, ....);

</details>

<details>
<summary> <b>[ CVE-2025-67735 ] io.netty:netty-codec-http 4.1.108.Final</b> </summary>
<br>


**Description:**
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

</details>

<details>
<summary> <b>[ CVE-2025-58782 ] org.apache.jackrabbit:jackrabbit-jcr-commons 2.21.19</b> </summary>
<br>


**Description:**
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

</details>

<details>
<summary> <b>[ CVE-2025-58782 ] org.apache.jackrabbit:jackrabbit-core 2.21.19</b> </summary>
<br>


**Description:**
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

</details>

<details>
<summary> <b>[ CVE-2025-31672 ] org.apache.poi:poi-ooxml 5.2.5</b> </summary>
<br>


**Description:**
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read  https://poi.apache.org/security.html  for recommendations about how to use the POI libraries securely.

</details>

<details>
<summary> <b>[ CVE-2025-25193 ] io.netty:netty-common 4.1.108.Final</b> </summary>
<br>


**Description:**
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

</details>

<details>
<summary> <b>[ CVE-2024-31141 ] org.apache.kafka:kafka-clients 3.4.0</b> </summary>
<br>


**Description:**
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.

Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.
In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.
This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0.


Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none".
Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds.


For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property.
For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.

</details>

<details>
<summary> <b>[ CVE-2024-47535 ] io.netty:netty-common 4.1.108.Final</b> </summary>
<br>


**Description:**
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

</details>

<details>
<summary> <b>[ CVE-2024-38820 ] org.springframework:spring-web 5.3.39</b> </summary>
<br>


**Description:**
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

</details>

<details>
<summary> <b>[ CVE-2024-38820 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

</details>

<details>
<summary> <b>[ CVE-2024-6763 ] org.eclipse.jetty:jetty-http 9.4.57.v20241219-tests</b> </summary>
<br>


**Description:**
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.

</details>

<details>
<summary> <b>[ CVE-2024-6763 ] org.eclipse.jetty:jetty-http 9.4.57.v20241219</b> </summary>
<br>


**Description:**
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.

</details>

<details>
<summary> <b>[ CVE-2024-29133 ] org.apache.commons:commons-configuration2 2.9.0</b> </summary>
<br>


**Description:**
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

</details>

<details>
<summary> <b>[ CVE-2024-29131 ] org.apache.commons:commons-configuration2 2.9.0</b> </summary>
<br>


**Description:**
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

</details>

<details>
<summary> <b>[ CVE-2021-41973 ] org.apache.mina:mina-core 2.0.7</b> </summary>
<br>


**Description:**
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

</details>

<details>
<summary> <b>[ CVE-2023-48795 ] org.apache.sshd:sshd-core 0.11.0</b> </summary>
<br>


**Description:**
SSH (Secure Shell) is a cryptographic network protocol that provides a secure way to access and manage remote systems over an unsecured network. [OpenSSH](https://www.openssh.com/) refers to an open-source implementation of the SSH (Secure Shell) protocol, offering encrypted communication for secure access to remote systems over networks.

[AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) (Advanced Encryption Standard) is a widely-used symmetric encryption algorithm that ensures secure and efficient encryption and decryption of data.

The Terrapin attack is a novel cryptographic attack in the SSH protocol itself, causing the compromised client to erroneously perceive that the server lacks support for recent signature algorithms used in user authentication, through a man-in-the-middle (MitM) attack. It affects a wide range of implementations, including but not limited to OpenSSH, Paramiko, and others. 

There are two vulnerable SSH configurations:
1. `ChaCha20-Poly1305`
2. Any `aes(128|192|256)-cbc` ciphers using the default MACs (or any MAC that uses Encrypt-then-MAC, EtM, for example - `hmac-sha2-256-etm@openssh.com`).

The default OpenSSH client and server are vulnerable to this attack, as they are configured to allow the vulnerable `ChaCha20-Poly1305` cipher. 

Note that updating either the server or client is not enough! Both must be patched. A vulnerable client connecting to a fixed server will still result in a vulnerable connection.

In OpenSSH 9.5, a new feature involving [keystroke timing obfuscation](https://lwn.net/Articles/298833/) was introduced. This attack enables a MitM attacker to disable this feature, and consequently to perform a keystroke timing attack against OpenSSH.

The researchers describe the ChaCha20-Poly1305 cipher integration as easier to exploit than the aes-cbc EtM. 

In this scenario, a prefix truncation attack is employed, wherein the attacker manipulates sequence numbers to selectively delete chosen packets from the start of a communication ch...

**Remediation:**
##### Deployment mitigations

To mitigate this, one can disable the vulnerable `ChaCha20-Poly1305` cipher in the OpenSSH server configuration.
Specifically, add the following to your `/etc/ssh/ssh(d)_config`: `Ciphers -chacha20-poly1305@openssh.com`.
Note the `-` at the start of the chacha20 cipher string.
Then, restart your SSH server for it to take effect.

In addition, ensure you’re not explicitly enabling any `aes(128|192|256)-cbc` ciphers in your OpenSSH configuration while using the default MACs (these ciphers are disabled by default)

</details>

<details>
<summary> <b>[ CVE-2025-22233 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.

Affected Spring Products and Versions

Spring Framework:
  *  6.2.0 - 6.2.6

  *  6.1.0 - 6.1.19

  *  6.0.0 - 6.0.27

  *  5.3.0 - 5.3.42
  *  Older, unsupported versions are also affected



Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix Version Availability 6.2.x
 6.2.7
OSS6.1.x
 6.1.20
OSS6.0.x
 6.0.28
 Commercial https://enterprise.spring.io/ 5.3.x
 5.3.43
 Commercial https://enterprise.spring.io/ 
No further mitigation steps are necessary.


Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.

For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.

Credit

This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

</details>

<details>
<summary> <b>Note:</b> </summary>


---
<div align='center'>

**Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.

</div>


</details>


---
<div align='center'>

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

</div>

[buildguy]

❌ Build failed in 43m 22s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl plugins

---

❗ No tests found!

ℹ️ This is an automatic message