happyhapi opened a new issue, #1240: URL: https://github.com/apache/rocketmq-clients/issues/1240
### Before Creating the Bug Report - [x] I found a bug, not just asking a question, which should be created in [GitHub Discussions](https://github.com/apache/rocketmq-clients/discussions). - [x] I have searched the [GitHub Issues](https://github.com/apache/rocketmq-clients/issues) and [GitHub Discussions](https://github.com/apache/rocketmq-clients/discussions) of this repository and believe that this is not a duplicate. - [x] I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ. ### Programming Language of the Client Java ### Runtime Platform Environment Not involve ### RocketMQ Version of the Client/Server Client 5.2.0 Server 5.3.1 ### Run or Compiler Version Compiler:Oracle Open jdk1.8.0_171 ### Describe the Bug During our use of rocketmq-client-java-5.2.0, the following component vulnerabilities were discovered: (1) CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4 CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4 (2) CVE-2025-48924 org.apache.commons:commons-lang3:3.4 (3) CVE-2023-2976 com.google.guava:guava:32.0.0-jre We hope that the above-mentioned component vulnerabilities can be fixed as soon as possible and that a new SDK version can be released. Thank you very much for solving our problems. 在对rocketmq-client-java进行安全扫描时发现如下组件版本较低,存在相应漏洞: (1) CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4 CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4 (2) CVE-2025-48924 org.apache.commons:commons-lang3:3.4 (3) CVE-2023-2976 com.google.guava:guava:32.0.0-jre 希望能够尽快升级修复并发版,非常感谢! ### Steps to Reproduce The relevant vulnerable dependencies have been packaged into the rocketmq-client-java jar package, and the specific location is in ./META-INF/maven 存在漏洞的jar包依赖已被打包进 rocketmq-client-java的jar包当中,具体位置在./META-INF/maven目录下 ### What Did You Expect to See? Jar packages should not contain known CVEs. ### What Did You See Instead? Current jar of rocketmq-client-java are affected by CVE-2024-7254 , CVE-2025-48924 and CVE-2023-2976. ### Additional Context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
