fix: resolves CVE-2025-67030

[wfouche]

Summary by CodeRabbit

• Chores
  • Updated two build-time dependencies to newer versions.
  • No changes to public APIs or exported interfaces.
  • This is an internal maintenance update with no changes to user-facing behavior or functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1823cd9d-1be1-4dff-a92b-a1221cb7a30f

📥 Commits

Reviewing files that changed from the base of the PR and between 78945bb and a57eb6b.

📒 Files selected for processing (1)

• build.gradle

---

📝 Walkthrough

Walkthrough

Two dependency versions in build.gradle were bumped: org.codehaus.plexus:plexus-java from 1.2.0 to 1.5.2, and org.apache.maven:maven-model from 3.9.11 to 3.9.16. No other build logic or declarations changed.

Changes

Build dependency updates

Layer / File(s)	Summary
Plexus Java version bump build.gradle	org.codehaus.plexus:plexus-java updated from 1.2.0 to 1.5.2.
Maven Model version bump build.gradle	org.apache.maven:maven-model updated from 3.9.11 to 3.9.16.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 I nibbled at the build today,
Two versions hopped along my way,
Plexus and Maven got a lift,
Small bumps that give the build a gift. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies a CVE fix as the primary change, which aligns with the dependency updates in build.gradle that address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build.gradle`:
- Line 173: The maven-model version bump to org.apache.maven:maven-model:3.9.16
alone may not eliminate CVE-2025-67030 because the vulnerability is in
plexus-utils; run your build's dependency resolution (e.g., Gradle
dependencyInsight/dependencies) to verify which org.codehaus.plexus:plexus-utils
version is actually resolved and ensure it is outside the vulnerable range, and
if it isn’t, add a direct dependency or a dependencyConstraint/force for
plexus-utils to a fixed safe version; then compile and run tests to confirm
there are no API/binary compatibility breaks for usages of
org.apache.maven.model.Model and org.apache.maven.model.io.xpp3.MavenXpp3Reader
when moving from 3.9.11 to 3.9.16 (or adjust to a different mitigation if
incompatibilities are found).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 90475832-7d51-4938-9191-241bae9b3e83

📥 Commits

Reviewing files that changed from the base of the PR and between 00f9490 and 7734aad.

📒 Files selected for processing (1)

• build.gradle

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does CVE-2025-67030 affect org.apache.maven:maven-model and is it fixed in version 3.9.16?

💡 Result:

No clear evidence shows that CVE-2025-67030 directly affects the Apache Maven “maven-model” artifact (org.apache.maven:maven-model). The vulnerability described for CVE-2025-67030 is a directory traversal in org.codehaus.plexus.util.Expand (plexus-utils) in versions before the commit fix [1]. However, in practice, “maven-model” can be part of dependency trees that pull in plexus-utils (e.g., an example shows maven-model depending on plexus-utils:3.6.0 transitively) [2]. If your build uses a plexus-utils version in the vulnerable range via such transitive dependency, then you would be affected even if the flaw is in plexus-utils rather than maven-model itself [1][2]. Is it fixed in Maven Model 3.9.16? The sources available here do not state that org.apache.maven:maven-model:3.9.16 upgrades plexus-utils to a non-vulnerable version. They only identify the plexus-utils fix by commit 6d780b3378829318ba5c2d29547e0012d5b29642 / the vulnerable range “before 6d780b…” [1]. Community reports indicate plexus-utils versions like 4.0.2/4.0.3 are used to address CVE-2025-67030, and one example explicitly recommends upgrading maven-model so it pulls in plexus-utils >= 4.0.2 [2], but none of the retrieved sources confirm that 3.9.16 does that specific upgrade [2]. Bottom line: - CVE-2025-67030 is a plexus-utils (Expand.extractFile) issue [1], not a direct maven-model code issue. - You may still be exposed if your dependency resolution brings in a vulnerable plexus-utils version transitively through maven-model (shown in one example) [2]. - I cannot confirm from the provided authoritative sources that maven-model 3.9.16 is fixed for CVE-2025-67030; the fix depends on which plexus-utils version your build actually resolves [1]. Recommended check: - In the environment where you run Maven, inspect the resolved dependency graph for plexus-utils (e.g., mvn dependency:tree) and verify the plexus-utils version is not in the vulnerable range described by the CVE [1].

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2025-67030
• 2: security: plexus-utils 3.6.0 pulled in transitively via maven-model (CVE-2025-67030) jaredsburrows/gradle-license-plugin#766

---

🌐 Web query:

What is the latest version of org.apache.maven:maven-model and does version 3.9.16 exist?

💡 Result:

Latest version of org.apache.maven:maven-model: 3.9.16 (shown in the official Maven Model 3.9.16 dependency coordinates) [1][2]. Does version 3.9.16 exist? Yes—official Maven Model documentation for version 3.9.16 exists and includes the coordinates org.apache.maven:maven-model:3.9.16 [1].

Citations:

• 1: https://maven.apache.org/ref/3.9.16/maven-model/dependency-info.html
• 2: https://maven.apache.org/ref/3.9.16/maven-model/summary.html

---

🏁 Script executed:

#!/bin/bash
# Description: Verify maven-model version 3.9.16 exists in Maven Central and check for API compatibility

# Check if version 3.9.16 exists in Maven Central
echo "Checking if maven-model version 3.9.16 exists in Maven Central..."
curl -sf "https://repo1.maven.org/maven2/org/apache/maven/maven-model/3.9.16/maven-model-3.9.16.pom" > /dev/null && echo "✓ Version 3.9.16 exists" || echo "✗ Version 3.9.16 not found"

# Check Maven Central for latest versions
echo -e "\nFetching available versions from Maven Central..."
curl -s "https://repo1.maven.org/maven2/org/apache/maven/maven-model/maven-metadata.xml" | grep -o '<version>[^<]*</version>' | sed 's/<[^>]*>//g' | tail -10

# Verify usage patterns in codebase are compatible
echo -e "\nVerifying Model class usage patterns in codebase..."
rg -n "org\.apache\.maven\.model\.Model" --type java -C2

Repository: jbangdev/jbang

Length of output: 840

---

Recheck the CVE-2025-67030 rationale for the maven-model version bump (build.gradle:173)

• CVE-2025-67030 is reported as a plexus-utils/org.codehaus.plexus.util.Expand directory-traversal issue, not a direct org.apache.maven:maven-model code issue—upgrading to maven-model:3.9.16 only fixes it if your resolved dependency tree pulls in a non-vulnerable plexus-utils version transitively.
• org.apache.maven:maven-model:3.9.16 exists in Maven Central.
• Still need to check the resolved dependency graph for plexus-utils (to ensure the vulnerable range is eliminated) and confirm no API/binary compatibility breaks for the existing org.apache.maven.model.Model / org.apache.maven.model.io.xpp3.MavenXpp3Reader usage across 3.9.11 → 3.9.16.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build.gradle` at line 173, The maven-model version bump to
org.apache.maven:maven-model:3.9.16 alone may not eliminate CVE-2025-67030
because the vulnerability is in plexus-utils; run your build's dependency
resolution (e.g., Gradle dependencyInsight/dependencies) to verify which
org.codehaus.plexus:plexus-utils version is actually resolved and ensure it is
outside the vulnerable range, and if it isn’t, add a direct dependency or a
dependencyConstraint/force for plexus-utils to a fixed safe version; then
compile and run tests to confirm there are no API/binary compatibility breaks
for usages of org.apache.maven.model.Model and
org.apache.maven.model.io.xpp3.MavenXpp3Reader when moving from 3.9.11 to 3.9.16
(or adjust to a different mitigation if incompatibilities are found).

[wfouche]

Output from ./gradlew dependencies | grep plexus-utils:

|    \--- org.codehaus.plexus:plexus-utils:3.6.1
|    \--- org.codehaus.plexus:plexus-utils:3.6.1
     |    |    |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
     |    |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
     |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
          +--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
          |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
               +--- org.codehaus.plexus:plexus-utils:3.4.1 -> 3.6.1
|    \--- org.codehaus.plexus:plexus-utils:3.6.1
|    \--- org.codehaus.plexus:plexus-utils:3.6.1
|    |    |    |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
|    |    |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
|    |    |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
|         +--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
|         |    \--- org.codehaus.plexus:plexus-utils:3.6.0 -> 3.6.1
|              +--- org.codehaus.plexus:plexus-utils:3.4.1 -> 3.6.1

Implied dependency org.codehaus.plexus:plexus-utils resolves to version 3.6.1