Skip to content

Upgrade to json-path 2.10.0 #35924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Upgrade to json-path 2.10.0 #35924

wants to merge 3 commits into from
+1 −1

Conversation

@ivonaest
Copy link

@ivonaest ivonaest commented Nov 28, 2025

Summary

  1. Why:
    To remove CVEs:

    • CVE-2024-57699
    • This CVE affects json-smart library and can lead to denial-of-service through stack exhaustion when parsing malicious JSON

  2. What:

    • Upgrade json-path to 2.10.0 to remove CVE-2024-57699
    • json-smart is a transitive dependency of json-path and it needed 2.5.2+ version
    • By upgrading json-path to 2.10.0, json-smart was upgraded to 2.6.0

Additional evidence

Partial output from security scanner Trivy:
spring-framework cves json-smart

Categorization

  • security/CVE

@bclozel bclozel changed the title Bumping up json-path to 2.10.0 to remove CVE-2024-57699 Bumping up json-path to 2.10.0 Nov 28, 2025
@bclozel bclozel changed the title Bumping up json-path to 2.10.0 Upgrade to json-path 2.10.0 Nov 28, 2025
@bclozel
Copy link
Member

bclozel commented Nov 28, 2025

CVE-2024-57699 is irrelevant here as Spring Framework optionnally compiles against this dependency. Only applications depend on json-path.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Nov 28, 2025
@ivonaest
Copy link
Author

ivonaest commented Nov 28, 2025

Hi @bclozel, while Spring is not vulnerable merging it is a small upgrade that would remote CVE from future security scans. Are you sure you don't want to merge it?

@bclozel bclozel self-assigned this Nov 28, 2025
@bclozel
Copy link
Member

bclozel commented Nov 28, 2025
edited
Loading

@ivonaest I will merge it. I am just stating that this dependency will not show up in security scans because it is not declared in any of our artifacts. Only "spring-test" compiles against it and you can check that it does not depend on it in the published POM: https://central.sonatype.com/artifact/org.springframework/spring-test

Upgrading dependencies is an important concern, but it's even more important to understand how dependency management works and whether a CVE is applicable. Here it is not.

@ivonaest
Copy link
Author

ivonaest commented Nov 28, 2025

@bclozel Thank you for taking the time to explain CVE in this project. From my understanding, it is a false positive reported by Trivy scanner.

@bclozel
Copy link
Member

bclozel commented Nov 28, 2025

Can you share the part where Trivy points to spring-test as the culprit?

Trivy might be looking at the Gradle module information (where this dependency might show up) but is maybe missing the fact that it's not on the compile classpath.

@ivonaest
Copy link
Author

ivonaest commented Nov 28, 2025

It showed up only here

image

@bclozel
Copy link
Member

bclozel commented Nov 28, 2025

I don't understand why Trivy thinks spring-test has guava and other dependencies as transitive dependencies. Neither the POM file nor the Gradle module file lists anything like this. The commons-beanutils mention is also very strange.

If you can reach out to the Trivy team and get some answers, please let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bclozel bclozel

Labels

status: waiting-for-triage An issue we've not yet triaged or decided on

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ivonaest @bclozel @spring-projects-issues