fix(deps): update dependency org.apache.mina:mina-core to v2.2.7 [security] (alauda-2026.1.0)#116
Open
alaudaa-renovate[bot] wants to merge 1 commit into
Conversation
alaudabot
reviewed
May 10, 2026
alaudabot
left a comment
alaudabot
left a comment
Contributor
There was a problem hiding this comment.
Code Review Summary
Verdict: Approved
This PR updates the Apache MINA dependency from version 2.2.5 to 2.2.7 to address multiple critical security vulnerabilities:
- CVE-2026-41409 (CVSS 9.8)
- CVE-2026-41635 (CVSS 9.8)
- CVE-2026-42778 (CVSS 9.8)
- CVE-2026-42779 (CVSS 9.8)
All vulnerabilities are related to deserialization of untrusted data in Apache MINA's AbstractIoBuffer.
Review Findings
- Critical Issues: 0
- Warnings: 0
- Suggestions: 0
This is a straightforward dependency version update. No code changes were made beyond the version bump. The security fix is legitimate and follows standard dependency management practices.
Contributor
🤖 AI Code Review
SummaryThis PR updates the Review Statistics
Critical Issues
None - this is a security fix update. Warnings
None. Suggestions
None. Positive Feedback
Reviewer: alaudabot ℹ️ About this reviewThis review was automatically generated using the
|
alaudabot
approved these changes
May 19, 2026
alaudabot
left a comment
alaudabot
left a comment
Contributor
There was a problem hiding this comment.
Code Review Summary
Reviewed: PR #116
Change: Dependency update org.apache.mina:mina-core 2.2.5 to 2.2.7
Result: APPROVED - No blocking issues
Analysis
This is a straightforward security dependency update addressing multiple CVEs (CVSS 9.8) related to deserialization of untrusted data in Apache MINA.
Findings
| Category | Count |
|---|---|
| Critical Issues | 0 |
| Warnings | 0 |
| Suggestions | 0 |
The dependency version bump correctly addresses the security vulnerabilities.
alaudaa-renovate
Bot
force-pushed
the
renovate/alauda-2026.1.0-maven-org.apache.mina-mina-core-vulnerability
branch
from
aa4a1e4 to
58c222a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.5->2.2.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Apache MINA vulnerable to Deserialization of Untrusted Data
CVE-2026-41635 / GHSA-8297-v2rf-2p32
More information
Details
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)
CVE-2026-41409 / GHSA-f2wh-grmh-r6jm
More information
Details
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
CVE-2026-42779 / GHSA-vf5j-865m-mq7c
More information
Details
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)
CVE-2026-42778 / GHSA-995c-6rp3-4m4x
More information
Details
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.