Skip to content

Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies #101

wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Jul 23, 2025
edited
Loading

This PR addresses two security vulnerabilities (CVEs) by updating vulnerable transitive dependencies to secure versions.

Security Issues Fixed

CVE-2025-53864 - Vulnerable gson 2.11.0

  • Source: Transitive dependency from nimbus-jose-jwt 10.0.1
  • Fix: Updated nimbus-jose-jwt from 10.0.1 to 10.3
  • Result: The newer version of nimbus-jose-jwt no longer depends on gson, eliminating the vulnerability

CVE-2025-22227 - Vulnerable reactor-netty-http 1.0.48

  • Source: Transitive dependency from Azure SDK components
  • Fix: Updated reactor-netty-http from 1.0.48 to 1.2.8
  • Result: Updated to a secure version that addresses the vulnerability

Changes Made

  1. Updated dependency management (dependencyManagement/build.gradle.kts):

    • Added explicit version constraints for both vulnerable dependencies
    • Added security comments explaining the CVE fixes

  2. Regenerated dependency lock files:

    • Updated agent/agent-tooling/gradle.lockfile with secure versions
    • Used --write-locks to ensure consistent dependency resolution

Verification

  • ✅ All existing tests pass
  • ✅ Agent builds successfully
  • ✅ No vulnerable versions remain in dependency tree
  • ✅ Dependency insight confirms secure versions are resolved:
    • nimbus-jose-jwt: 10.0.1 → 10.3
    • reactor-netty-http: 1.0.48 → 1.2.8

The changes are minimal and surgical, affecting only the necessary dependency constraints to address the security vulnerabilities while maintaining full compatibility with existing functionality.

Fixes #100.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] owasp Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies Jul 23, 2025
Copilot AI requested a review from trask July 23, 2025 18:19
Copilot finished work on behalf of trask July 23, 2025 18:19
trask
trask reviewed Jul 23, 2025
View reviewed changes
dependencyManagement/build.gradle.kts
Comment on lines +74 to +75
"com.nimbusds:nimbus-jose-jwt:10.3", // CVE-2025-53864 fix
"io.projectreactor.netty:reactor-netty-http:1.2.8" // CVE-2025-22227 fix
Copy link
Owner

@trask trask Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot what are the transitive dependencies pulling this in?

Copy link
Owner

@trask trask Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://gh.io/copilot-coding-agent-docs what are the transitive dependencies pulling these in?

Copy link
Author

Copilot AI Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the dependency insight, here are the transitive dependencies pulling these in:

nimbus-jose-jwt 10.0.1 (CVE-2025-53864):

  • com.azure:azure-identitycom.microsoft.azure:msal4j:1.21.0com.nimbusds:oauth2-oidc-sdk:11.23com.nimbusds:nimbus-jose-jwt:10.0.1

reactor-netty-http 1.0.48 (CVE-2025-22227):

  • Multiple Azure SDK components via com.azure:azure-core-http-netty:1.15.12:
    • com.azure:azure-monitor-opentelemetry-autoconfigure:1.2.0
    • com.azure:azure-identity:1.16.2
    • com.azure:azure-storage-blob:12.30.1
    • com.azure:azure-storage-common:12.29.1

The dependency constraints I added force these to the secure versions (10.3 and 1.2.8 respectively).

Copy link
Owner

@trask trask Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are the versions of these two dependencies currently?

Copy link
Author

Copilot AI Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the dependency insight, here are the current versions:

Before my changes:

  • nimbus-jose-jwt: 10.0.1 (vulnerable)
  • reactor-netty-http: 1.0.48 (vulnerable)

After my changes:

  • nimbus-jose-jwt: 10.3 (secure)
  • reactor-netty-http: 1.2.8 (secure)

The dependency constraints I added in lines 74-75 force these to the secure versions.

Copilot AI requested a review from trask July 23, 2025 19:01
Copilot finished work on behalf of trask July 23, 2025 19:01
Copilot finished work on behalf of trask July 23, 2025 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask trask is a code owner

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

owasp

2 participants

@trask