Thank you, Tilman. And, please, the 2.x branch hit end of life in April, 2025. Tilman happens to be updating that branch, personally, to support PDFBox, but the project no longer supports 2.x.
On Fri, Nov 14, 2025 at 8:13 AM Tilman Hausherr <[email protected]> wrote: > > Am 14.11.2025 um 09:31 schrieb Saravanan Balakrishnan: > > Hi Tika Team, > Please confirm the below listed vulnerability reported for Tika 2.9.5 > snapshot build, is there any chance of fixing in the Tika 2.9.5 snapshot > build or what is the impact on these reported CVE. > > Vulnerability ID Library > CVE-2025-22233 spring-context-5.3.39.jar > > used for a one line example > > > CVE-2024-47554 commons-io-2.7.jar > > we use 2.20 > > > CVE-2025-48924 commons-lang3-3.17.0.jar > > we use 3.19.0 > > > CVE-2024-45687 grizzly-http-3.0.1.jar > > I don't see that this is used, maybe indirectly? > > > CVE-2024-38820 spring-context-5.3.39.jar > > used for a one line example > > > CVE-2025-8916 bcprov-jdk18on-1.78.jar > > we use 1.82 > > > CVE-2020-15250 junit-4.10.jar > > That is used for build tests. > > > CVE-2020-8908 guava-18.0.jar > CVE-2023-2976 guava-18.0.jar > > We use 33.5.0-jre > > > CVE-2025-48924 commons-lang3-3.10.jar > > We use 3.19.0 > > > CVE-2025-41242 spring-beans-5.3.39.jar > > used for a one line example. > > Please don't make such posts before doing a minimum of research. Spring is > used for tika-examples, and junit is for build tests. This isn't production > code. > > Tilman > > > > Kindly revert back. Thanks in advance for your valuable time. > > Regards, > Saravanan B > > >
