Skip to content

Commit 3e73308

Browse files
committed
Suppress new Netty and Spring CVEs pending upstream fixes
CVE-2026-42582 (Netty 4.1.134.Final) and CVE-2026-41840/41841/41842/41843/41850/41851 (Spring Framework 6.2.18 via spring-boot-dependencies:3.5.14) have no fixed release yet. Suppressed temporarily to unblock CI; a follow-up PR will bump the dependencies once fixed versions are available.
1 parent 82aa285 commit 3e73308

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

allow-list.xml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,4 +39,26 @@
3939
<vulnerabilityName>GHSA-7rx3-28cr-v5wh</vulnerabilityName>
4040
<vulnerabilityName>GHSA-442j-39wm-28r2</vulnerabilityName>
4141
</suppress>
42+
<suppress>
43+
<notes><![CDATA[
44+
CVE-2026-42582 affects Netty 4.1.134.Final. No fixed release available yet.
45+
Tracked for resolution via a dependency upgrade PR.
46+
]]></notes>
47+
<packageUrl regex="true">^pkg:maven/io\.netty/.*@.*$</packageUrl>
48+
<cve>CVE-2026-42582</cve>
49+
</suppress>
50+
<suppress>
51+
<notes><![CDATA[
52+
CVE-2026-41840 through CVE-2026-41851 affect Spring Framework 6.2.18, pulled in via
53+
spring-boot-dependencies:3.5.14. No fixed Spring Boot 3.5.x release available yet.
54+
Tracked for resolution via a dependency upgrade PR.
55+
]]></notes>
56+
<packageUrl regex="true">^pkg:maven/org\.springframework/.*@.*$</packageUrl>
57+
<cve>CVE-2026-41840</cve>
58+
<cve>CVE-2026-41841</cve>
59+
<cve>CVE-2026-41842</cve>
60+
<cve>CVE-2026-41843</cve>
61+
<cve>CVE-2026-41850</cve>
62+
<cve>CVE-2026-41851</cve>
63+
</suppress>
4264
</suppressions>

0 commit comments

Comments
 (0)