Upgrade to spring-core@6.2.11 to resolve CVE-2025-41249

[guillaume-verdon-sword]

Type: Bug

Component:
spring-cloud-aws-core

Describe the bug
Our vulnerability scanner raised concerns regarding io.awspring.cloud:spring-cloud-aws-starter@3.4.0. It seems this version of the lib depends on org.springframework:spring-core@6.2.7 which has a known vulnerability https://www.cve.org/CVERecord?id=CVE-2025-41249

Note: Upgrading the core would also probably fix https://www.cve.org/CVERecord?id=CVE-2025-41242 introduced through io.awspring.cloud:spring-cloud-aws-starter-s3@3.4.0 › io.awspring.cloud:spring-cloud-aws-s3@3.4.0 › org.springframework:spring-context@6.2.7 › org.springframework:spring-aop@6.2.7 › org.springframework:spring-beans@6.2.7

Sample
N/A

[maciejwalkowiak]

We have just released 3.4.1 that should solve this issue.

[guillaume-verdon-sword]

Hello @maciejwalkowiak,

Thanks for your answer.

I've just upgraded to 3.4.1 and it seems that spring-cloud-aws is now pulling spring-core@6.2.10.

io.awspring.cloud:spring-cloud-aws-starter@3.4.1 › io.awspring.cloud:spring-cloud-aws-core@3.4.1 › org.springframework:spring-core@6.2.10

However, the mentionned CVE were fixed in spring-core@6.2.11, therefore, the vulnerabilities seems to still be included in the package.

Regards,
Guillaume

[MatejNedic]

Our version for Spring dependencies is inherited from -> https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-build/4.3.1

Which contains affected 3.5.5 spring boot version. You should be able to specify Spring Boot version 3.5.7 and this should solve your issue for now.

Till 4.3.2 version of spring cloud build is released we cannot do much.