guptas6est opened a new pull request, #15809: URL: https://github.com/apache/dubbo/pull/15809
## What is the purpose of the change? This PR upgrades Netty 4, Apache Commons-Lang3, gRPC, and Spring Security 6 versions across the Dubbo build to remediate multiple security vulnerabilities detected by Trivy and OWASP Dependency-Check. The new versions align Dubbo with the minimum fixed versions published in the CVE advisories and ensure the framework is not affected by reported DoS, Path Traversal, Recursion, and HTTP/2 attack vectors. ### Summary of CVEs remediated **Netty / gRPC related** - CVE-2025-55163 – Netty HTTP/2 “MadeYouReset” DDoS Vulnerability - CVE-2025-58057 – Netty BrotliDecoder DoS (zip-bomb style) - CVE-2025-58056 – Netty HTTP request smuggling - CVE-2025-59419 – Netty SMTP Command Injection **Apache Commons-Lang3** - CVE-2025-48924 – Apache Commons-Lang3 uncontrolled recursion vulnerability **Spring Security** - CVE-2025-41248 – Spring Security authorization bypass ## Checklist - [x] Make sure there is a [GitHub_issue](https://github.com/apache/dubbo/issues) field for the change. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [x] Write necessary unit-test to verify your logic correction. If the new feature or significant change is committed, please remember to add sample in [dubbo samples](https://github.com/apache/dubbo-samples) project. - [x] Make sure gitHub actions can pass. [Why the workflow is failing and how to fix it?](../CONTRIBUTING.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
