fix: critical CVE 2025-70952 fix

[sondermanish]

Description

Upgrade PF4J plugin framework dependencies to address known vulnerabilities.

• pf4j: 3.10.0 → 3.15.0 (latest release)
• pf4j-spring: 0.8.0 → 0.10.0 (latest release)

What changed

• app/server/pom.xml — Bump org.pf4j.version property from 3.10.0 to 3.15.0. This property is referenced via ${org.pf4j.version} in:
  • app/server/appsmith-server/pom.xml
  • app/server/appsmith-plugins/pom.xml
  • app/server/appsmith-interfaces/pom.xml
• app/server/appsmith-server/pom.xml — Bump pf4j-spring from 0.8.0 to 0.10.0
• app/server/appsmith-plugins/pom.xml — Bump pf4j-spring from 0.8.0 to 0.10.0

Compatibility

• pf4j 3.15.0 still carries one non-critical vulnerability — acceptable trade-off for the security fixes included in the upgrade.
• pf4j-spring 0.10.0 is built against Spring Framework 6.2.2 and uses the Jakarta namespace (jakarta.annotation-api), fully compatible with our Spring Boot 3.5.12 parent.

Fixes: https://linear.app/appsmith/issue/APP-15065/address-cve-2025-70952-vulnerability-in-appsmith-images

Automation

/ok-to-test tags="@tag.Datasource"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/23736830870
Commit: a5a2ef1
Cypress dashboard.
Tags: @tag.Datasource
Spec:

---

Mon, 30 Mar 2026 09:48:15 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

[coderabbitai]

Walkthrough

Updated three Maven dependency version declarations across the project: upgraded pf4j-spring to 0.10.0 in two modules and bumped the core pf4j.version property from 3.10.0 to 3.15.0.

Changes

Cohort / File(s)	Summary
PF4J Spring Dependency Updates app/server/appsmith-plugins/pom.xml, app/server/appsmith-server/pom.xml	Upgraded org.pf4j:pf4j-spring from 0.8.0 to 0.10.0 in both modules.
Core PF4J Version Property app/server/pom.xml	Updated org.pf4j.version Maven property from 3.10.0 to 3.15.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🔧 Dependencies dance in the build config rain,
PF4J springs forth with versions fresh and new,
From 0.8 to 0.10 they ascend,
While 3.10 becomes 3.15 too,
A gentle bump, no breaking change in sight! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request description includes a clear summary of changes, version upgrades, affected files, and compatibility notes, though the issue reference and linked documentation are missing.	Add the specific issue number or URL (e.g., 'Fixes #41673' or the CVE link) and relevant documentation links to fully comply with the template requirements.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references a critical CVE fix, which aligns with the PF4J dependency upgrades in the changeset that address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cve-2025-70952

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/server/appsmith-server/pom.xml (1)

41-41: 🛠️ Refactor suggestion | 🟠 Major

Consider the correct version to address CVE-2025-70952.

Since PF4J 3.15.0 doesn't exist and the CVE fix is in commit 20c2f80, you should either:

1. Use PF4J 3.14.0 (if it contains the fix), or
2. Wait for the official release that includes commit 20c2f80, or
3. Build from source with the commit included

Also ensure pf4j-spring version is compatible with whichever PF4J version you choose.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/server/appsmith-server/pom.xml` at line 41, The PF4J dependency in
pom.xml points to a non-existent 3.15.0 to address CVE-2025-70952; replace it by
either (A) pinning to a known released version that includes commit 20c2f80
(e.g., verify and use PF4J 3.14.0 if that commit/fix is present) or (B) building
PF4J from source with commit 20c2f80 and referencing the built artifact in your
local/remote repo, and in either case ensure the pf4j-spring dependency version
is updated to a compatible release (or built together) so PF4J API/ABI matches;
update the pom.xml dependency entries for artifactId pf4j and pf4j-spring
accordingly (or replace with the built coordinates) and run mvn verify to
confirm no dependency conflicts.

♻️ Duplicate comments (1)

app/server/appsmith-server/pom.xml (1)

258-258: ⚠️ Potential issue | 🟠 Major

Same version mismatch issue: pf4j-spring 0.10.0 expects PF4J 3.13.0.

This dependency has the same version mismatch as in app/server/appsmith-plugins/pom.xml. The relevant code snippet shows that CustomPluginManager extends SpringPluginManager with a no-arg constructor. API changes between pf4j-spring versions may affect this inheritance.

Verify SpringPluginManager constructor compatibility:

#!/bin/bash
# Check SpringPluginManager constructor compatibility between versions

echo "=== Checking CustomPluginManager implementation ==="
cat app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/PluginConfiguration.java

echo ""
echo "=== Searching for SpringPluginManager usage patterns ==="
rg -n "extends.*SpringPluginManager" --type java -C 5

echo ""
echo "=== Check if SpringPluginManager constructors changed ==="
echo "Need to verify pf4j-spring 0.8.0 vs 0.10.0 constructor signatures"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/server/appsmith-server/pom.xml` at line 258, The pf4j-spring dependency
version is mismatched (0.10.0 expects a different PF4J API) and may break your
CustomPluginManager that extends SpringPluginManager; update either the
pf4j-spring version to the one compatible with the PF4J core you use or adapt
the CustomPluginManager constructor/usage to the new SpringPluginManager API.
Specifically, inspect PluginConfiguration.java and the CustomPluginManager class
(search for "extends SpringPluginManager") and reconcile
constructors/signatures: if SpringPluginManager removed the no-arg constructor
in 0.10.0, add a matching constructor call (e.g., calling super(...) with
required parameters) or downgrade/align pf4j-spring in the pom.xml to the
version that matches your PF4J core. Ensure the pom.xml <version> entry for
pf4j-spring is consistent with PF4J core and update the CustomPluginManager
constructor to compile against the chosen pf4j-spring version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/server/appsmith-plugins/pom.xml`:
- Line 56: The project POM overrides pf4j.version to 3.15.0 while pf4j-spring
0.10.0 expects PF4J 3.13.0; either set the pf4j.version property back to 3.13.0
in the app/server pom.xml (match pf4j.version property) or upgrade pf4j-spring
to a version that officially supports PF4J 3.15.0 — update the pf4j.version
property or the pf4j-spring dependency accordingly and run a full build/test to
verify compatibility.

---

Outside diff comments:
In `@app/server/appsmith-server/pom.xml`:
- Line 41: The PF4J dependency in pom.xml points to a non-existent 3.15.0 to
address CVE-2025-70952; replace it by either (A) pinning to a known released
version that includes commit 20c2f80 (e.g., verify and use PF4J 3.14.0 if that
commit/fix is present) or (B) building PF4J from source with commit 20c2f80 and
referencing the built artifact in your local/remote repo, and in either case
ensure the pf4j-spring dependency version is updated to a compatible release (or
built together) so PF4J API/ABI matches; update the pom.xml dependency entries
for artifactId pf4j and pf4j-spring accordingly (or replace with the built
coordinates) and run mvn verify to confirm no dependency conflicts.

---

Duplicate comments:
In `@app/server/appsmith-server/pom.xml`:
- Line 258: The pf4j-spring dependency version is mismatched (0.10.0 expects a
different PF4J API) and may break your CustomPluginManager that extends
SpringPluginManager; update either the pf4j-spring version to the one compatible
with the PF4J core you use or adapt the CustomPluginManager constructor/usage to
the new SpringPluginManager API. Specifically, inspect PluginConfiguration.java
and the CustomPluginManager class (search for "extends SpringPluginManager") and
reconcile constructors/signatures: if SpringPluginManager removed the no-arg
constructor in 0.10.0, add a matching constructor call (e.g., calling super(...)
with required parameters) or downgrade/align pf4j-spring in the pom.xml to the
version that matches your PF4J core. Ensure the pom.xml <version> entry for
pf4j-spring is consistent with PF4J core and update the CustomPluginManager
constructor to compile against the chosen pf4j-spring version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4f6012cd-69da-4930-ad0c-68cd1e9ea371

📥 Commits

Reviewing files that changed from the base of the PR and between 344cc41 and a5a2ef1.

📒 Files selected for processing (3)

• app/server/appsmith-plugins/pom.xml
• app/server/appsmith-server/pom.xml
• app/server/pom.xml

[sondermanish]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/23736849353.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41673.
recreate: .
base-image-tag: .

[github-actions]

Deploy-Preview-URL: https://ce-41673.dp.appsmith.com

[linear]

APP-15065 Address CVE-2025-70952 vulnerability in appsmith images