From fb7a2df73f01c58bcbd6ede3055fca2fbad0ba79 Mon Sep 17 00:00:00 2001
From: qlonglong <qinlong.mkl@gmail.com>
Date: Tue, 21 Oct 2025 20:58:29 +0800
Subject: [PATCH] upgrade org.apache.tomcat.embed:tomcat-embed-core to 9.0.108

Due to JDK version constraints, Spring Boot cannot be upgraded further. Therefore, tomcat-embed-core can only be upgraded to 9.0.108 to address the CVE-2025-48989 vulnerability.
---
 dependencies/default/pom.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/dependencies/default/pom.xml b/dependencies/default/pom.xml
index c9132cc26d..46bb111570 100644
--- a/dependencies/default/pom.xml
+++ b/dependencies/default/pom.xml
@@ -101,6 +101,7 @@
     <vertx.version>4.5.21</vertx.version>
     <zipkin.version>2.24.0</zipkin.version>
     <zipkin-reporter.version>2.16.3</zipkin-reporter.version>
+    <tomcat.version>9.0.108</tomcat.version>
     <!-- Base dir of main -->
     <main.basedir>${basedir}/../..</main.basedir>
   </properties>
@@ -774,6 +775,22 @@
         <version>${java-websocket.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-core</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-el</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-websocket</artifactId>
+        <version>${tomcat.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.apache.servicecomb</groupId>
         <artifactId>java-chassis-bom</artifactId>