Skip to content

Dependabot-Fix: Upgrade logback-core to 1.5.25 (CVE-2026-1225)#11

Open
meysholdt wants to merge 1 commit intomainfrom
dependabot-fix/logback-core-CVE-2026-1225
Open

Dependabot-Fix: Upgrade logback-core to 1.5.25 (CVE-2026-1225)#11
meysholdt wants to merge 1 commit intomainfrom
dependabot-fix/logback-core-CVE-2026-1225

Conversation

@meysholdt
Copy link
Contributor

@meysholdt meysholdt commented Mar 9, 2026

Dependabot Alert

Field Value
Alert View alert
CVE CVE-2026-1225
CVSS 1.8 (v4, low)
Package ch.qos.logback:logback-core
Vulnerable < 1.5.25
Fixed 1.5.25
Advisory Logback allows an attacker to instantiate classes already present on the class path via compromised configuration files

What changed

Added a <logback.version>1.5.25</logback.version> property override in pom.xml to upgrade the transitive logback-core (and logback-classic) dependency from 1.5.22 (managed by spring-boot-starter-parent 4.0.1) to the patched 1.5.25 release.

Verification

Check Command Result
Compilation ./mvnw compile ✅ Passed
Tests ./mvnw test ✅ 59 passed, 0 failures, 0 errors
Spring Java Format spring-javaformat:validate (runs in validate phase) ✅ Passed
Checkstyle (nohttp) checkstyle:check (runs in validate phase) ✅ 0 violations
Dependency tree ./mvnw dependency:tree | grep logback ✅ Only 1.5.25 resolved; 1.5.22 eliminated

@meysholdt meysholdt force-pushed the main branch 2 times, most recently from f2c9931 to 1695684 Compare March 9, 2026 13:44
@meysholdt meysholdt force-pushed the dependabot-fix/logback-core-CVE-2026-1225 branch from 537efa4 to 4bb79f1 Compare March 9, 2026 13:59
@meysholdt @ona-agent
Upgrade logback to 1.5.25 to fix CVE-2026-1225
d88ac60 
Override logback.version property in pom.xml to resolve Dependabot
alert #1 (ch.qos.logback:logback-core < 1.5.25).

Co-authored-by: Ona <no-reply@ona.com>
@meysholdt meysholdt force-pushed the dependabot-fix/logback-core-CVE-2026-1225 branch from 4bb79f1 to d88ac60 Compare March 9, 2026 14:12
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 9, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@meysholdt