Skip to content

fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes#41928

Merged
sebastianiv21 merged 2 commits into
releasefrom
fix/cve-server-deps-netty-springboot
Jul 3, 2026
Merged

fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes#41928
sebastianiv21 merged 2 commits into
releasefrom
fix/cve-server-deps-netty-springboot

Conversation

@sebastianiv21

@sebastianiv21 sebastianiv21 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates reachable High CVEs in the Spring server via two dependency bumps.

Change Version CVE(s) Reachability
spring-boot-starter-parent 3.5.12 → 3.5.14 CVE-2026-40973 (insecure multipart temp file) Affected — authenticated upload path
Netty (BOM override) 4.1.131 → 4.1.135.Final CVE-2026-33870, CVE-2026-42583 Affected — request-handling path behind Caddy
Netty (same bump, additional) 4.1.131 → 4.1.135.Final CVE-2026-44249, 45416, 50010 (netty-handler); 45674, 47691 (netty-resolver-dns); 42584, 42587, 42579, 33871 (codec/http2/dns) Newly disclosed / not_affected — cleared for free

Why the Netty property override

Spring Boot 3.5.14's BOM manages Netty 4.1.132.Final, which is still vulnerable. <netty.version>4.1.135.Final</netty.version> is the canonical property the spring-boot-dependencies BOM consumes, so it bumps all io.netty:* artifacts consistently. There is no competing netty-bom import or direct Netty pin in the server tree.

Validation

  • mvn help:evaluate confirms effective versions: netty.version=4.1.135.Final, parent 3.5.14.
  • appsmith-server POM resolves/parses (BUILD SUCCESS).
  • No hardcoded Netty pin elsewhere downgrades or bypasses the override.

CI Trigger

/ok-to-test tags="@tag.All"

Test plan

  • CI green
  • Server boots; an HTTP-backed plugin action executes (Netty/WebFlux path)
  • No dependency-convergence/enforcer breakage

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the server platform to a newer Spring Boot release.
    • Centralized the Netty version used by the server build.
    • Removed an outdated version-specific note from a plugin configuration comment.

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28471068281
Commit: 9102e65
Cypress dashboard.
Tags: @tag.All
Spec:


Wed, 01 Jul 2026 14:37:32 UTC

…E fixes

Bumps spring-boot-starter-parent 3.5.12 -> 3.5.14 to remediate CVE-2026-40973
(insecure multipart temporary file), and overrides the BOM-managed Netty to
4.1.135.Final to remediate reachable Netty CVEs CVE-2026-33870 and
CVE-2026-42583, plus newly disclosed netty-handler and netty-resolver-dns
advisories (CVE-2026-44249, 45416, 50010, 45674, 47691) and the
netty-codec/http2/dns set (CVE-2026-42584, 42587, 42579, 33871).

Spring Boot 3.5.14 still manages the vulnerable Netty 4.1.132, so an explicit
netty.version property override is required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sebastianiv21 sebastianiv21 requested a review from sharat87 as a code owner June 26, 2026 20:39
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The PR updates the app server Maven parent version, adds a centralized Netty version property, and revises an ArangoDB plugin comment to describe Netty as provided by the appsmith-server runtime.

Changes

Server dependency version updates

Layer / File(s) Summary
Server Maven versions
app/server/pom.xml
The Spring Boot parent is updated to 3.5.14, and a netty.version Maven property is added with value 4.1.135.Final.
ArangoDB Netty comment
app/server/appsmith-plugins/arangoDBPlugin/pom.xml
The Netty comment now describes Netty as being shipped by the appsmith-server runtime through reactor-netty-http.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A pom file twinkled, neat and bright,
With Spring and Netty tuned just right.
A comment shed its versioned glow,
And server winds kept humming low.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main security dependency bumps and matches the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description is mostly complete, with summary, rationale, validation, CI, and test plan aligned to the template.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/cve-server-deps-netty-springboot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sebastianiv21

Copy link
Copy Markdown
Contributor Author

/build-deploy-preview skip-tests=true

@github-actions

Copy link
Copy Markdown

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/28264173509.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41928.
recreate: .
base-image-tag: .

@github-actions

Copy link
Copy Markdown

Deploy-Preview-URL: https://ce-41928.dp.appsmith.com

@sebastianiv21 sebastianiv21 added the ok-to-test Required label for CI label Jun 26, 2026
@sebastianiv21 sebastianiv21 requested a review from subrata71 June 30, 2026 19:05

@subrata71 subrata71 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's going to resolve the claimed CVEs in the CE repo but one is related to Keycloak and as a result it's not going to resolve everything that's claimed in the EE repo. Safe to merge regardless.

@sebastianiv21 sebastianiv21 merged commit 56ee2cd into release Jul 3, 2026
283 of 290 checks passed
@sebastianiv21 sebastianiv21 deleted the fix/cve-server-deps-netty-springboot branch July 3, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Required label for CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants