Skip to content

[SECURITY] Project vulnerable due to grpc-netty-shaded dependency (CVE-2025-55163) #1188

New issue
New issue
Open
Open
[SECURITY] Project vulnerable due to grpc-netty-shaded dependency (CVE-2025-55163)#1188
Labels
bugSomething does not work as expected
@apodznoev

Description

@apodznoev
apodznoev
opened on Oct 6, 2025

The context

The project appears to be affected by
CVE-2025-55163, which impacts the io.grpc:grpc-netty-shaded dependency transitively brought by io.grpc .

Dependency Reference:
The vulnerable dependency is introduced at:
https://github.com/grpc-ecosystem/grpc-spring/blob/master/build.gradle#L14C9-L14C20 with version 1.63.0 and with the vulnerability is fixed in 1.75.0

Impact:
The referenced CVE describes a vulnerability that could allow attackers to exploit network traffic processed by grpc-netty-shaded, potentially leading to denial of service or other security issues.

Remediation
Update io.grpc:grpc-bom to the patched version 1.75.0 as recommended in the advisory.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething does not work as expected

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions