paimon icon indicating copy to clipboard operation
paimon copied to clipboard
verified publisher icon apache

[Feature] Bump to > 5.4.3 to fix CVE-2025-27820 (PSL validation bypass)

Open Sbaia opened this issue 1 month ago • 0 comments

Search before asking

  • [x] I searched in the issues and found nothing similar.

Motivation

Trivy reports the following HIGH vulnerability on org.apache.httpcomponents.client5:httpclient5 (present in paimon-flink-2.1-1.3.0.jar):

Solution

The fixed version is 5.4.3.

Plan

I'm opening this issue and confirm that I will submit a PR to bump the dependency to 5.4.3 (or the latest version that includes the fix).

Tasks

  • [ ] Create branch fix/cve-2025-27820-httpclient5
  • [ ] Upgrade httpclient5 to 5.4.3 (or latest)
  • [ ] Run local tests / CI
  • [ ] Verify Trivy no longer reports the CVE
  • [ ] Open PR with clear description and link to this issue

References

  • CVE: https://avd.aquasec.com/nvd/cve-2025-27820
  • HttpClient 5.4.3 Release: https://github.com/apache/httpcomponents-client/releases/tag/5.4.3

/cc @maintainer-if-relevant

Anything else?

No response

Are you willing to submit a PR?

  • [x] I'm willing to submit a PR!

Sbaia avatar Nov 10 '25 11:11 Sbaia