guptas6est opened a new pull request, #15799: URL: https://github.com/apache/dubbo/pull/15799
## What is the purpose of the change? This PR excludes the dependency **org.apache.tomcat.embed:tomcat-embed-core** from the spring-boot-starter-web dependency in the dubbo-demo-spring-boot-servlet module. The demo project was pulling in Tomcat 9.0.83, which contains several CRITICAL and HIGH-severity CVEs. Since this demo does not require an embedded Tomcat runtime, excluding the library removes all Tomcat-related vulnerabilities from the module without affecting Dubbo’s core functionality. By excluding tomcat-embed-core, the following **15 CVEs** are fully remediated: **Critical** CVE-2025-24813 – Potential RCE / information disclosure / corruption **High** CVE-2024-34750 – Improper handling of exceptional conditions CVE-2024-50379 – RCE due to TOCTOU issue in JSP compilation CVE-2024-56337 – Incomplete fix for CVE-2024-50379 (still RCE vector) CVE-2025-48988 – DoS in multipart upload CVE-2025-48989 – “MadeYouReset” HTTP/2 DoS CVE-2025-55752 – Directory traversal with possible RCE **Medium** CVE-2024-24549 – HTTP/2 header handling DoS CVE-2025-31650 – DoS via malformed HTTP/2 PRIORITY_UPDATE frames CVE-2025-49124 – Untrusted search path (Windows installer) CVE-2025-49125 – Security constraint bypass for pre/post-resources **Low** CVE-2025-31651 – Rewrite Valve rule bypass CVE-2025-46701 – Security constraint bypass for CGI scripts CVE-2025-55754 – Console manipulation CVE-2025-61795 – Denial of service in Catalina component ## Checklist - [x] Make sure there is a [GitHub_issue](https://github.com/apache/dubbo/issues) field for the change. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [x] Write necessary unit-test to verify your logic correction. If the new feature or significant change is committed, please remember to add sample in [dubbo samples](https://github.com/apache/dubbo-samples) project. - [x] Make sure gitHub actions can pass. [Why the workflow is failing and how to fix it?](../CONTRIBUTING.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
