Skip to content

[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and CVE-2025-41249 #24903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 2 commits into from
Oct 29, 2025
Merged

[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and CVE-2025-41249 #24903

lhotari merged 2 commits into from
Oct 29, 2025

Conversation

@guptas6est
Copy link
Contributor

@guptas6est guptas6est commented Oct 28, 2025
edited
Loading

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

Upgrade Spring Framework to version 6.2.11 to address security vulnerabilities CVE-2025-22233 and CVE-2025-41249, ensuring the project uses a secure and patched version.

Modifications

  • Updated spring.version from 6.1.14 → 6.2.12 in pom.xml.

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 28, 2025
@lhotari lhotari changed the title [fix][deps] Upgrade Spring to 6.2.11 to remediate CVE-2025-22233 and CVE-2025-41249 [fix][sec] Upgrade Spring to 6.2.11 to remediate CVE-2025-22233 and CVE-2025-41249 Oct 28, 2025
lhotari
lhotari reviewed Oct 28, 2025
View reviewed changes
@guptas6est
Copy link
Contributor Author

guptas6est commented Oct 28, 2025

Hi @lhotari, thank you for the review!
I’ll update both my PRs and push the suggested changes shortly.

@guptas6est guptas6est changed the title [fix][sec] Upgrade Spring to 6.2.11 to remediate CVE-2025-22233 and CVE-2025-41249 [fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and CVE-2025-41249 Oct 28, 2025
@codecov-commenter
Copy link

codecov-commenter commented Oct 29, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.22%. Comparing base (ebfff58) to head (a748d41).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #24903      +/-   ##
============================================
- Coverage     74.31%   74.22%   -0.09%     
+ Complexity    33843    33457     -386     
============================================
  Files          1913     1913              
  Lines        149325   149328       +3     
  Branches      17332    17334       +2     
============================================
- Hits         110966   110838     -128     
- Misses        29503    29623     +120     
- Partials       8856     8867      +11
Flag Coverage Δ
inttests 26.37% <ø> (+0.01%) ⬆️
systests 22.79% <ø> (-0.14%) ⬇️
unittests 73.76% <ø> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 85 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari added this to the 4.2.0 milestone Oct 29, 2025
@lhotari lhotari merged commit 38e0fa1 into apache:master Oct 29, 2025
94 of 102 checks passed
guptas6est added a commit to Nordix/pulsar that referenced this pull request Oct 30, 2025
@guptas6est
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
93e8513 
…VE-2025-41249 (apache#24903)
lhotari pushed a commit that referenced this pull request Oct 31, 2025
@guptas6est @lhotari
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
f3cf6aa 
…VE-2025-41249 (#24903)

(cherry picked from commit 38e0fa1)
lhotari pushed a commit that referenced this pull request Oct 31, 2025
@guptas6est @lhotari
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
856da6e 
…VE-2025-41249 (#24903)

(cherry picked from commit 38e0fa1)
lhotari pushed a commit that referenced this pull request Oct 31, 2025
@guptas6est @lhotari
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
f02d2c9 
…VE-2025-41249 (#24903)

(cherry picked from commit 38e0fa1)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 3, 2025
@guptas6est @ganesh-ctds
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
78164dd 
…VE-2025-41249 (apache#24903)

(cherry picked from commit 38e0fa1)
(cherry picked from commit 856da6e)
manas-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 3, 2025
@guptas6est @manas-ctds
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
2c3493c 
…VE-2025-41249 (apache#24903)

(cherry picked from commit 38e0fa1)
(cherry picked from commit f02d2c9)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 4, 2025
@guptas6est @srinath-ctds
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
6af148f 
…VE-2025-41249 (apache#24903)

(cherry picked from commit 38e0fa1)
(cherry picked from commit f02d2c9)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 6, 2025
@guptas6est @srinath-ctds
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
7ac7438 
…VE-2025-41249 (apache#24903)

(cherry picked from commit 38e0fa1)
(cherry picked from commit 856da6e)
nodece pushed a commit to nodece/pulsar that referenced this pull request Nov 12, 2025
@guptas6est @nodece
[fix][sec] Upgrade Spring to 6.2.12 to remediate CVE-2025-22233 and C…
02d6859 
…VE-2025-41249 (apache#24903)

(cherry picked from commit 38e0fa1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

Assignees

@guptas6est guptas6est

Labels

cherry-picked/branch-3.0 cherry-picked/branch-4.0 cherry-picked/branch-4.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.15 release/4.0.8 release/4.1.2

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@guptas6est @codecov-commenter @lhotari