Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies#101
Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies#101
Conversation
…cies Co-authored-by: trask <218610+trask@users.noreply.github.com>
| "com.nimbusds:nimbus-jose-jwt:10.3", // CVE-2025-53864 fix | ||
| "io.projectreactor.netty:reactor-netty-http:1.2.8" // CVE-2025-22227 fix |
There was a problem hiding this comment.
@copilot what are the transitive dependencies pulling this in?
There was a problem hiding this comment.
https://gh.io/copilot-coding-agent-docs what are the transitive dependencies pulling these in?
There was a problem hiding this comment.
Based on the dependency insight, here are the transitive dependencies pulling these in:
nimbus-jose-jwt 10.0.1 (CVE-2025-53864):
com.azure:azure-identity→com.microsoft.azure:msal4j:1.21.0→com.nimbusds:oauth2-oidc-sdk:11.23→com.nimbusds:nimbus-jose-jwt:10.0.1
reactor-netty-http 1.0.48 (CVE-2025-22227):
- Multiple Azure SDK components via
com.azure:azure-core-http-netty:1.15.12:com.azure:azure-monitor-opentelemetry-autoconfigure:1.2.0com.azure:azure-identity:1.16.2com.azure:azure-storage-blob:12.30.1com.azure:azure-storage-common:12.29.1
The dependency constraints I added force these to the secure versions (10.3 and 1.2.8 respectively).
There was a problem hiding this comment.
what are the versions of these two dependencies currently?
There was a problem hiding this comment.
Based on the dependency insight, here are the current versions:
Before my changes:
nimbus-jose-jwt: 10.0.1 (vulnerable)reactor-netty-http: 1.0.48 (vulnerable)
After my changes:
nimbus-jose-jwt: 10.3 (secure)reactor-netty-http: 1.2.8 (secure)
The dependency constraints I added in lines 74-75 force these to the secure versions.
This PR addresses two security vulnerabilities (CVEs) by updating vulnerable transitive dependencies to secure versions.
Security Issues Fixed
CVE-2025-53864 - Vulnerable gson 2.11.0
nimbus-jose-jwt 10.0.1nimbus-jose-jwtfrom10.0.1to10.3CVE-2025-22227 - Vulnerable reactor-netty-http 1.0.48
reactor-netty-httpfrom1.0.48to1.2.8Changes Made
Updated dependency management (
dependencyManagement/build.gradle.kts):Regenerated dependency lock files:
agent/agent-tooling/gradle.lockfilewith secure versions--write-locksto ensure consistent dependency resolutionVerification
nimbus-jose-jwt: 10.0.1 → 10.3reactor-netty-http: 1.0.48 → 1.2.8The changes are minimal and surgical, affecting only the necessary dependency constraints to address the security vulnerabilities while maintaining full compatibility with existing functionality.
Fixes #100.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.