Request for Security Fix Backport or Java 11 Support in Jinjava

[SavinduDimal]

Hi team,

We are currently using jinjava 2.7.2, and noticed that the recent vulnerability CVE-2025-59340 has been addressed in jinjava 2.8.1.

However, starting from 2.8.x, Jinjava requires Java 17 or higher. Since our environment still relies on **Java 11 **, we are unable to upgrade to 2.8.1 to obtain the security fix.

Would it be possible to:

1. Backport the fix to a 2.7.x release (e.g., 2.7.5),
   or
2. Provide Java 11 compatibility in the 2.8.x line so that users on Java 11 can adopt the fix?

Thanks for your support and consideration!

[SavinduDimal]

Hi team,

Thank you for releasing Jinjava v2.7.5 with the fix [1] addressing the vulnerability CVE-2025-59340. However, on Maven Repository [2], CVE-2025-59340 is still flagged as a direct vulnerability for v2.7.5. We suspect this may be because the affected version range in the CVE record [3] has not yet been updated. Could you please check and update the affected versions accordingly so that security scanners correctly recognize v2.7.5 as patched?

Thanks for your support!

[1] b2b4b3d
[2] https://mvnrepository.com/artifact/com.hubspot.jinjava/jinjava/2.7.5
[3] https://www.cve.org/CVERecord?id=CVE-2025-59340

[jasmith-hs]

Submitted the form to update the advisory repository to include 2.7.5 as a fix: github/advisory-database#6281

[jasmith-hs]

The advisory database is updated. I will see if the CVE record ends up reflecting that 2.7.5 is a good build soon

[SavinduDimal]

Thank you for the quick response.