chore: upgrade WireMock to 4.0.0-beta.32 to resolve Jetty CVE-2025-11143

[Copilot]

GHSA-wjpw-4j6x-6rwh / CVE-2025-11143: all Jetty 11.x versions (>= 11.0.0, <= 11.0.26) have differential URI parsing behaviour that can bypass security controls in multi-component systems. Jetty 11.x is EOL with no patch on Maven Central; patched versions start at 12.0.31 / 12.1.5.

Changes

• build.gradle: bump org.wiremock:wiremock 3.13.2 → 4.0.0-beta.32, which pulls in jetty-bom:12.1.8 (patched)
• build.gradle: add org.wiremock:wiremock-junit5:4.0.0-beta.32 — WireMock 4.x splits the JUnit 5 extension into a separate artifact; no test source changes needed since the com.github.tomakehurst.wiremock.* namespace is preserved

Reachability

WireMock is a test-only mock server. Jetty's URI parser is never in the request path for any production or security-sensitive logic. This update resolves the scanner alert; there is no active exploit risk in this codebase.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• invalid-hostname-that-does-not-exist.local
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Dorg.gradle.internal.worker.tmpdir=/home/REDACTED/work/java-sdk/java-sdk/build/tmp/test/work -javaagent:/home/REDACTED/work/java-sdk/java-sdk/build/tmp/.cache/expanded/zip_27729b840c216bdc69a9315e04b27ab1/jacocoagent.jar=destfile=build/jacoco/test.exec,append=true,inclnolocationclasses=false,dumponexit=true,output=file,jmx=false @/home/REDACTED/.gradle/.tmp/gradle-worker-classpath4853964645954119057txt -Xmx512m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -ea worker.org.gradle.process.internal.worker.GradleWorkerMain 'Gradle Test Executor 1' (dns block)
• wiremock.org
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>org.eclipse.jetty:jetty-http has different parsing of invalid URIs</alert_title>
<alert_description>The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:

Invalid Scheme

URI	Jetty	uri-js (nodejs)	node-url(nodejs)
https>://vulndetector.com/path	scheme=http>	scheme=https	invalid URI

Improper IPv4 mapped IPv6

URI	Jetty	System.Uri(CSharp)	curl(C)
http://[0:0:0:0:0:ffff:127.0.0.1]	invalid	host=[::ffff:127.0.0.1]	host=[::ffff:127.0.0.1]
http://[::ffff:255.255.0.0]	invalid	host=[::ffff:255.255.0.0]	host=[::ffff:255.255.0.0]

Incorrect IPv6 delimeter priority

URI	Jetty	urllib3(python)	furl(python)	Spring	chromium
http://[normal.com@]vulndetector.com/	host=[normal.com@]	invalid	invalid
http://normal.com[user@vulndetector].com/	host=`[noirmal.com@vulndetector			host=normal.com	invalid
http://normal.com[@]vulndetector.com/	host=`normal.com[@]			host=normal.com	invalid

Incorrect delimeter priority

URI	Jetty	urllib3(python)	jersey
http://normal.com/#@vulndetector.com	host=vulndetector.com	host=normal.com	host=normal.com
http://normal.com/?@vulndetector.com	host=vulndetector.com	host=normal.com	host=normal.com

Impact

Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.
At the very least, differential parsing may divulge implementation details.

Patches

Patched in Supported Open Source versions.

• 12.1.5 - Supported and available on Maven Central
• 12.0.31 - Supported and available on Maven Central
• 11.0.x - EOL Release, patches available on tuxcare and herodevs
• 10.0.x - EOL Release, patches available on tuxcare and herodevs
• 9.4.x - EOL Release, patches available on tuxcare and herodevs

Workarounds

None

Resources

• Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf
• Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf
• Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf
• Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf</alert_description>

low
GHSA-wjpw-4j6x-6rwh, CVE-2025-11143
org.eclipse.jetty:jetty-http
maven
<vulnerable_versions>= 11.0.26</vulnerable_versions>
<patched_version></patched_version>
<manifest_path>settings.gradle</manifest_path>

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh https://nvd.nist.gov/vuln/detail/CVE-2025-11143 https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf https://github.com/advisories/GHSA-wjpw-4j6x-6rwh

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed...

• Resolves openfga/java-sdk alert refactor(java): Misc changes #8

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.05%. Comparing base (2565cc8) to head (1564851).

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #332   +/-   ##
=========================================
  Coverage     38.05%   38.05%           
  Complexity     1259     1259           
=========================================
  Files           198      198           
  Lines          7646     7646           
  Branches        885      885           
=========================================
  Hits           2910     2910           
  Misses         4598     4598           
  Partials        138      138           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.