This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 676ba078de5 [fix][sec] Override nimbus-jose-jwt to remediate
CVE-2023-52428 and CVE-2025-53864 (#24937)
676ba078de5 is described below
commit 676ba078de57ff1a8b30384babc88becdf61e566
Author: guptas6est <[email protected]>
AuthorDate: Tue Nov 4 11:37:18 2025 +0000
[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and
CVE-2025-53864 (#24937)
---
pom.xml | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 24d9a2d4372..ae8d9013903 100644
--- a/pom.xml
+++ b/pom.xml
@@ -369,7 +369,7 @@ flexible messaging model and an intuitive client
API.</description>
<extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version>
<oshi.version>6.4.0</oshi.version>
<checkerframework.version>3.33.0</checkerframework.version>
-
+ <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
<commons-beanutils.version>1.11.0</commons-beanutils.version>
<commons-configuration2.version>2.12.0</commons-configuration2.version>
</properties>
@@ -1739,6 +1739,12 @@ flexible messaging model and an intuitive client
API.</description>
<artifactId>opentelemetry-semconv</artifactId>
<version>${opentelemetry.semconv.version}</version>
</dependency>
+ <!-- enforce nimbus-jose-jwt version that gets pulled transitively -->
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>nimbus-jose-jwt</artifactId>
+ <version>${nimbus-jose-jwt.version}</version>
+ </dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
