Is it possible to upgrade spring security and spring core in jmix 1.7.1 as we have detected vulnerability CVE-2025-22228 in JMIX applications.
We have set a password with 80 characters length 01234567890123456789012345678901234567890123456789012345678901234567890123456789
then we have tried with a wrong password with the first 72 chars meets the correct password
01234567890123456789012345678901234567890123456789012345678901234567890100000000
the application logged in successfully.
1 Like
Jmix 1.7.1 uses the latest publicly available dependencies compatible with Spring Boot 2:
- Spring Core 5.3.31
- Spring Security 5.7.11
The mentioned vulnerability is fixed in Spring Security 5.7.16 which is available only as a part of Spring Enterprise Support. If you have this support package from Spring, you can just define the dependency explicitly with the proper version in your build.gradle, and it will override the dependency defined by the Jmix BOM.
Jmix versions 2.5.2 and 2.6.0 use Spring Security 6.4.4+ and don’t have this vulnerability.
Regards,
Konstantin