Upgrade jersey libraries to address CVE-2025-12383

[tengu-alt]

This PR upgrades jersey libraries family from 2.39.1 to 2.46 to address CVE-2025-12383

Note: while 2.39.1 is not listed as vulnerable - security scanners still may alert it as vulnerable

[tengu-alt]

@FrankYang0529 Could you please take a look or ping someone to review this?
It would be nice to include this in the future 3.9.2 release (I assume it is upcoming since the release candidate is presented)

[FrankYang0529]

@tengu-alt Thanks for the fix. We will take a look to check whether to include this in 3.9.2.

[chia7712]

The CVE is regarding eclipse-ee4j/jersey#5749, and the patch was NOT merged into 2.39.1. Hence, I think Kafka 3.9.2 is NOT affected by CVE-2025-12383

@tengu-alt @FrankYang0529 WDYT?

[gaurav-narula]

Curious why 2.46 and not 2.47 when that's the latest released 2.x version?

[gaurav-narula]

@chia7712 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/253 mentions a reproducer for the CVE is at https://github.com/dtbaum/jerseyCveCandidate. I was able to reproduce it with 2.39.1 as well using that repo by editing pom.xml to update the version and replacing jakarta.* imports with javax.* in JerseyCveCandidate.java.

[chia7712]

@gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1

[gaurav-narula]

@gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1

I'm fairly certain it's the same issue as the PoC is asserting the same CVE and it's reproducible in 2.39.1. Here's the trail I could find:

• The bug was reported with Race condition eclipse-ee4j/jersey#5358
• Fixed in 2.41 with Race condition eclipse-ee4j/jersey#5359
• The above introduced a perf regression as commented here and explained here
• Initial attempt to fix with Jersey update from 3.1.3 to 3.1.4 slows down our external service res… eclipse-ee4j/jersey#5749 which had shortcomings
• Final fix which fixes both the race and the perf regression with Fix possible concurrent issue with SSL & default connector eclipse-ee4j/jersey#5794

[chia7712]

@gaurav-narula thanks for the info

@FrankYang0529 it seems we need to cut another RC

[yeikel]

Does this mean that the CVE data is just wrong?

I ask because CVE-2025-12383 only references 2.45, 3.0.16, 3.1.9