From f582279c67df4b817cfe098f3545ce4b9ba6c237 Mon Sep 17 00:00:00 2001
From: Luis Ibarra <luissebastianibarrav@gmail.com>
Date: Fri, 26 Jun 2026 15:39:03 -0500
Subject: [PATCH] fix(security): bump Spring Boot to 3.5.14 and Netty to
 4.1.135 for CVE fixes

Bumps spring-boot-starter-parent 3.5.12 -> 3.5.14 to remediate CVE-2026-40973
(insecure multipart temporary file), and overrides the BOM-managed Netty to
4.1.135.Final to remediate reachable Netty CVEs CVE-2026-33870 and
CVE-2026-42583, plus newly disclosed netty-handler and netty-resolver-dns
advisories (CVE-2026-44249, 45416, 50010, 45674, 47691) and the
netty-codec/http2/dns set (CVE-2026-42584, 42587, 42579, 33871).

Spring Boot 3.5.14 still manages the vulnerable Netty 4.1.132, so an explicit
netty.version property override is required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 app/server/appsmith-plugins/arangoDBPlugin/pom.xml | 2 +-
 app/server/pom.xml                                 | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/server/appsmith-plugins/arangoDBPlugin/pom.xml b/app/server/appsmith-plugins/arangoDBPlugin/pom.xml
index 92901b25fcac..7c3307d84343 100644
--- a/app/server/appsmith-plugins/arangoDBPlugin/pom.xml
+++ b/app/server/appsmith-plugins/arangoDBPlugin/pom.xml
@@ -55,7 +55,7 @@
         </dependency>
 
         <!--
-            Netty 4.1.131 is shipped by the appsmith-server runtime via reactor-netty-http. arangodb-java-driver 7.x
+            Netty is shipped by the appsmith-server runtime via reactor-netty-http. arangodb-java-driver 7.x
             transitively pulls the same netty version through Vert.x WebClient. Declare these as 'provided' for the
             same reason as jackson above: avoid PluginClassLoader/parent-classloader collisions for io.netty.* classes.
         -->
diff --git a/app/server/pom.xml b/app/server/pom.xml
index 7204205fa307..2eb7ca3f6cc1 100644
--- a/app/server/pom.xml
+++ b/app/server/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.5.12</version>
+        <version>3.5.14</version>
         <relativePath/>
         <!-- lookup parent from repository -->
     </parent>
@@ -37,6 +37,7 @@
         <maven.compiler.target>${java.version}</maven.compiler.target>
         <mockito.version>4.4.0</mockito.version>
         <mockwebserver.version>5.0.0-alpha.2</mockwebserver.version>
+        <netty.version>4.1.135.Final</netty.version>
         <okhttp3.version>4.12.0</okhttp3.version>
         <org.pf4j.version>3.15.0</org.pf4j.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>