fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes

[sebastianiv21]

Summary

Remediates reachable Critical/High CVEs in the Spring server via two dependency bumps. Scope was deliberately limited to vulnerabilities that are actually reachable in Appsmith's supported deployment.

Change	Version	CVE(s)	Reachability
spring-boot-starter-parent	3.5.12 → 3.5.14	CVE-2026-40973 (insecure multipart temp file)	Affected — authenticated upload path
Netty (BOM override)	4.1.131 → 4.1.135.Final	CVE-2026-33870, CVE-2026-42583	Affected — request-handling path behind Caddy
Netty (same bump, additional)	4.1.131 → 4.1.135.Final	CVE-2026-44249, 45416, 50010 (netty-handler); 45674, 47691 (netty-resolver-dns); 42584, 42587, 42579, 33871 (codec/http2/dns)	Newly disclosed / not_affected — cleared for free

Why the Netty property override

Spring Boot 3.5.14's BOM manages Netty 4.1.132.Final, which is still vulnerable. <netty.version>4.1.135.Final</netty.version> is the canonical property the spring-boot-dependencies BOM consumes, so it bumps all io.netty:* artifacts consistently. There is no competing netty-bom import or direct Netty pin in the server tree.

Validation

• mvn help:evaluate confirms effective versions: netty.version=4.1.135.Final, parent 3.5.14.
• appsmith-server POM resolves/parses (BUILD SUCCESS).
• No hardcoded Netty pin elsewhere downgrades or bypasses the override.

Review

Multi-agent council review (senior-architect, security-reviewer, qa-engineer, dx-engineer): all APPROVE WITH RISKS, no blockers. Security independently verified each fix via OSV.

CI Trigger

/ok-to-test tags="@tag.All"

Test plan

• CI green
• Server boots; an HTTP-backed plugin action executes (Netty/WebFlux path)
• No dependency-convergence/enforcer breakage

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the server platform to a newer Spring Boot release.
  • Centralized the Netty version used by the server build.
  • Removed an outdated version-specific note from a plugin configuration comment.

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28267051979
Commit: f582279
Cypress dashboard.
Tags: @tag.All
Spec:

---

Fri, 26 Jun 2026 22:59:08 UTC

[coderabbitai]

Walkthrough

The PR updates the app server Maven parent version, adds a centralized Netty version property, and revises an ArangoDB plugin comment to describe Netty as provided by the appsmith-server runtime.

Changes

Server dependency version updates

Layer / File(s)	Summary
Server Maven versions app/server/pom.xml	The Spring Boot parent is updated to 3.5.14, and a netty.version Maven property is added with value 4.1.135.Final.
ArangoDB Netty comment app/server/appsmith-plugins/arangoDBPlugin/pom.xml	The Netty comment now describes Netty as being shipped by the appsmith-server runtime through reactor-netty-http.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A pom file twinkled, neat and bright,
With Spring and Netty tuned just right.
A comment shed its versioned glow,
And server winds kept humming low.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main security dependency bumps and matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description is detailed and relevant, covering summary, motivation, validation, and test plan, though it omits the issue link and some template-specific sections.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cve-server-deps-netty-springboot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sebastianiv21]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/28264173509.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41928.
recreate: .
base-image-tag: .

[github-actions]

Deploy-Preview-URL: https://ce-41928.dp.appsmith.com