fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes#41928
Conversation
…E fixes Bumps spring-boot-starter-parent 3.5.12 -> 3.5.14 to remediate CVE-2026-40973 (insecure multipart temporary file), and overrides the BOM-managed Netty to 4.1.135.Final to remediate reachable Netty CVEs CVE-2026-33870 and CVE-2026-42583, plus newly disclosed netty-handler and netty-resolver-dns advisories (CVE-2026-44249, 45416, 50010, 45674, 47691) and the netty-codec/http2/dns set (CVE-2026-42584, 42587, 42579, 33871). Spring Boot 3.5.14 still manages the vulnerable Netty 4.1.132, so an explicit netty.version property override is required. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
WalkthroughThe PR updates the app server Maven parent version, adds a centralized Netty version property, and revises an ArangoDB plugin comment to describe Netty as provided by the appsmith-server runtime. ChangesServer dependency version updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/build-deploy-preview skip-tests=true |
|
Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/28264173509. |
|
Deploy-Preview-URL: https://ce-41928.dp.appsmith.com |
subrata71
left a comment
There was a problem hiding this comment.
It's going to resolve the claimed CVEs in the CE repo but one is related to Keycloak and as a result it's not going to resolve everything that's claimed in the EE repo. Safe to merge regardless.
Summary
Remediates reachable High CVEs in the Spring server via two dependency bumps.
Why the Netty property override
Spring Boot 3.5.14's BOM manages Netty
4.1.132.Final, which is still vulnerable.<netty.version>4.1.135.Final</netty.version>is the canonical property thespring-boot-dependenciesBOM consumes, so it bumps allio.netty:*artifacts consistently. There is no competingnetty-bomimport or direct Netty pin in the server tree.Validation
mvn help:evaluateconfirms effective versions:netty.version=4.1.135.Final, parent3.5.14.appsmith-serverPOM resolves/parses (BUILD SUCCESS).CI Trigger
/ok-to-test tags="@tag.All"
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Tip
🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28471068281
Commit: 9102e65
Cypress dashboard.
Tags:
@tag.AllSpec:
Wed, 01 Jul 2026 14:37:32 UTC