Security: update bundled dependencies to remediate High/Critical CVEs

While running an SCA scan against the Joern CLI distribution, I found multiple known CVEs in bundled dependencies across several frontends/modules (both direct and transitive). In many environments this becomes a policy blocker (SCA/SBOM gates, “no known CVEs” requirements), even if the vulnerable code paths are not used at runtime. So please consider upgrading the affected dependencies to patched versions in order to remediate the CVEs.

| Vulnerable library | Installed version | Found in component | Known CVEs | Severities | Suggested upgrade version |
|---|---|---|---|---|---|
| com.google.protobuf:protobuf-java | 3.18.0 | joern-cli/lib; c2cpg; csharpsrc2cpg; ghidra2cpg; gosrc2cpg; javasrc2cpg; jssrc2cpg; kotlin2cpg; php2cpg; pysrc2cpg; rubysrc2cpg; swiftsrc2cpg | CVE-2021-22569, CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 | HIGH | 3.25.5 (or 4.28.2) |
| com.google.protobuf:protobuf-java | 3.21.8 | ghidra2cpg (bundled inside io.joern.ghidra-11.4_… jar) | CVE-2024-7254 | HIGH | 3.25.5 (or 4.28.2) |
| org.msgpack:msgpack-core | 0.9.1 | joern-cli/lib; c2cpg; csharpsrc2cpg; ghidra2cpg; gosrc2cpg; javasrc2cpg; jimple2cpg; jssrc2cpg; kotlin2cpg; php2cpg; pysrc2cpg; rubysrc2cpg; swiftsrc2cpg | CVE-2026-21452 | HIGH | 0.9.11 |
| io.undertow:undertow-core | 2.3.18.Final | joern-cli/lib | CVE-2025-12543, CVE-2025-9784 | CRITICAL / HIGH | 2.3.20.Final (or 2.2.38.Final) |
| com.squareup.okhttp3:okhttp | 4.7.2 | kotlin2cpg | CVE-2021-0341 | HIGH | 4.9.2 |
| commons-io:commons-io | 2.11.0 | ghidra2cpg (bundled inside io.joern.ghidra-11.4_… jar) | CVE-2024-47554 | HIGH | 2.14.0 |
| Go stdlib (goastgen binaries) | v1.21.12 | gosrc2cpg/bin/astgen/goastgen-linux; goastgen-linux-arm64; goastgen-macos; goastgen-macos-arm64; goastgen-windows.exe | CVE-2024-34156, CVE-2025-47907, CVE-2025-58183, CVE-2025-61729 | HIGH | 1.24.11+ (or newer incl. fixed versions listed by CVE) |


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: update bundled dependencies to remediate High/Critical CVEs #5781

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerable library	Installed version	Found in component	Known CVEs	Severities	Suggested upgrade version
com.google.protobuf:protobuf-java	3.18.0	joern-cli/lib; c2cpg; csharpsrc2cpg; ghidra2cpg; gosrc2cpg; javasrc2cpg; jssrc2cpg; kotlin2cpg; php2cpg; pysrc2cpg; rubysrc2cpg; swiftsrc2cpg	CVE-2021-22569, CVE-2022-3509, CVE-2022-3510, CVE-2024-7254	HIGH	3.25.5 (or 4.28.2)
com.google.protobuf:protobuf-java	3.21.8	ghidra2cpg (bundled inside io.joern.ghidra-11.4_… jar)	CVE-2024-7254	HIGH	3.25.5 (or 4.28.2)
org.msgpack:msgpack-core	0.9.1	joern-cli/lib; c2cpg; csharpsrc2cpg; ghidra2cpg; gosrc2cpg; javasrc2cpg; jimple2cpg; jssrc2cpg; kotlin2cpg; php2cpg; pysrc2cpg; rubysrc2cpg; swiftsrc2cpg	CVE-2026-21452	HIGH	0.9.11
io.undertow:undertow-core	2.3.18.Final	joern-cli/lib	CVE-2025-12543, CVE-2025-9784	CRITICAL / HIGH	2.3.20.Final (or 2.2.38.Final)
com.squareup.okhttp3:okhttp	4.7.2	kotlin2cpg	CVE-2021-0341	HIGH	4.9.2
commons-io:commons-io	2.11.0	ghidra2cpg (bundled inside io.joern.ghidra-11.4_… jar)	CVE-2024-47554	HIGH	2.14.0
Go stdlib (goastgen binaries)	v1.21.12	gosrc2cpg/bin/astgen/goastgen-linux; goastgen-linux-arm64; goastgen-macos; goastgen-macos-arm64; goastgen-windows.exe	CVE-2024-34156, CVE-2025-47907, CVE-2025-58183, CVE-2025-61729	HIGH	1.24.11+ (or newer incl. fixed versions listed by CVE)

Security: update bundled dependencies to remediate High/Critical CVEs #5781

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions