fix(deps): bump gson to 2.11.0 to patch CVE-2022-25647#81
Open
Gabrielpanga wants to merge 1 commit into
Open
Conversation
gson < 2.8.9 is vulnerable to deserialization of untrusted data (CVE-2022-25647 / GHSA-4jrv-ppp4-jm57, high). The dependency is declared directly in pom.xml, so the transitive copy from retrofit converter-gson does not shadow it. Bumped to 2.11.0 (mature, Java 8 baseline, covers the CVE and all fixes since). Build + unit tests pass; FieldNamingPolicy.IDENTITY behavior is unchanged across these versions.
Gabrielpanga
force-pushed
the
fix/bump-gson-cve-2022-25647
branch
from
6542b8c to
adb6869
Compare
Gabrielpanga
commented
Jun 10, 2026
Gabrielpanga
left a comment
Gabrielpanga
left a comment
Member
Author
There was a problem hiding this comment.
Review — ✅ Approve
Diff: +1 −1, 1 file. Clean and complete.
- Correct fix for CVE-2022-25647 / GHSA-4jrv-ppp4-jm57 (high).
gsonis a direct dependency, so bumping the declaration to2.11.0actually takes effect — confirmed viamvn dependency:treethatgson:2.11.0resolves with no older transitive copy shadowing it (the transitive one fromretrofit:converter-gsonis older and was being overridden). - Version choice 2.11.0 retains the Java 8 baseline the SDK targets and leaves
FieldNamingPolicy.IDENTITYsemantics unchanged — no risk to the byte-for-byte DTO field matching. mvn -B package→ BUILD SUCCESS, 4/4 unit tests pass.
Rebased onto current master. Ready to merge once approved.
2 tasks
Gabrielpanga
force-pushed
the
fix/bump-gson-cve-2022-25647
branch
from
adb6869 to
4049a0a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps the direct
com.google.code.gson:gsondependency from 2.8.0 → 2.11.0.Why
Resolves Dependabot alert #11 — CVE-2022-25647 / GHSA-4jrv-ppp4-jm57 (high): Deserialization of Untrusted Data in Gson, affecting
< 2.8.9.gson is declared directly in
pom.xml, so the transitive copy pulled byretrofit:converter-gsondoes not shadow it — the direct declaration must be bumped.Version choice
2.11.0over the minimal2.8.9: mature, widely adopted, retains the Java 8 baseline the SDK targets, and rolls up every fix since.FieldNamingPolicy.IDENTITYsemantics (the byte-for-byte field-matching the DTOs rely on) are unchanged across these versions.Verification
mvn -B dependency:treeconfirmsgson:2.11.0resolvedmvn -B package→ BUILD SUCCESS, 4/4 unit tests pass