Skip to content

GEODE-10577: Remediation of security vulnerability (CVE-2025-8671)#8004

Open
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10577
Open

GEODE-10577: Remediation of security vulnerability (CVE-2025-8671)#8004
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10577

Conversation

@JinwooHwang
Copy link
Copy Markdown
Contributor

@JinwooHwang JinwooHwang commented Apr 9, 2026

Summary

Upgrade httpcore5 and httpcore5-h2 from 5.3.4 to 5.3.6 to address a high-severity security vulnerability in httpcore5-h2.

  • org.apache.httpcomponents.core5:httpcore5: 5.3.4 → 5.3.6
  • org.apache.httpcomponents.core5:httpcore5-h2: 5.3.4 → 5.3.6

Security Vulnerability

Field Value
Snyk ID SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052
CVE CVE-2025-8671
Type Denial of Service (DoS) (CWE-400)
Severity 8.7 HIGH (CVSS v4.0)
Affected Package org.apache.httpcomponents.core5:httpcore5-h2
Affected Versions [0, 5.3.5)
Fixed Version 5.3.5
Disclosed 13 Aug 2025
Published 31 Mar 2026

Description

Affected versions of this package are vulnerable to Denial of Service (DoS) due to incorrect stream accounting in the handling of server-sent stream resets. An attacker can cause excessive server resource consumption by rapidly opening streams and triggering resets using malformed frames or flow control errors, resulting in the server processing an unbounded number of concurrent streams on a single connection.

References

Changes

File Description
DependencyConstraints.groovy Updated httpcore5 and httpcore5-h2 versions from 5.3.4 to 5.3.6
assembly_content.txt Updated httpcore5 and httpcore5-h2 jar filenames to new versions
gfsh_dependency_classpath.txt Updated httpcore5 and httpcore5-h2 jar filenames to new versions
dependency_classpath.txt Updated httpcore5 and httpcore5-h2 jar filenames to new versions

Testing

  • build — compiles successfully
  • test — unit tests pass

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang JinwooHwang requested a review from marinov-code April 9, 2026 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marinov-code marinov-code Awaiting requested review from marinov-code

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang