Skip to content

Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.15.1#2267

Closed
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-xml-external-entities-vulnerability
Closed

Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.15.1#2267
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-xml-external-entities-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 2, 2026
edited by ewaostrowska
Loading

Pull Request

Thank you for contributing to swagger-parser!

Please fill out the following checklist to help us review your PR efficiently.

Description

Problem: Transitive dependency on Mozilla Rhino 1.7.7.2 exposes XXE vulnerability (BDSA-2018-5289) via toXml function.

Dependency chain:

swagger-compat-spec-parser:1.0.75 
  → json-schema-validator:2.2.14 
    → json-schema-core:1.2.14 
      → rhino:1.7.7.2 (vulnerable)

Solution: Override Rhino to 1.7.15.1 in parent dependencyManagement.

Why 1.7.14:

  • XXE vulnerability fixed in 1.7.13+
  • Latest version compatible with Java 8 (project requirement)
  • 1.7.15+ requires Java 11+
  • No known CVEs per GitHub advisory database

Change: Added single dependency management entry to force all transitive Rhino dependencies to 1.7.15.1.

Type of Change

  • 🐛 Bug fix
  • ✨ New feature
  • ♻️ Refactor (non-breaking change)
  • 🧪 Tests
  • 📝 Documentation
  • 🧹 Chore (build or tooling)

Checklist

  • I have added/updated tests as needed
  • I have added/updated documentation where applicable
  • The PR title is descriptive
  • The code builds and passes tests locally
  • I have linked related issues (if any)

Copilot AI changed the title [WIP] Fix XML external entities vulnerability in Mozilla Rhino Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.14 Feb 2, 2026
Copilot AI requested a review from daniel-kmiecik February 2, 2026 10:56
@ewaostrowska ewaostrowska force-pushed the copilot/fix-xml-external-entities-vulnerability branch from a4e057d to a09fa92 Compare April 14, 2026 09:59
@ewaostrowska ewaostrowska marked this pull request as ready for review April 14, 2026 10:01
@ewaostrowska ewaostrowska changed the title Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.14 Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.15.1 Apr 14, 2026
@ewaostrowska ewaostrowska deleted the copilot/fix-xml-external-entities-vulnerability branch April 14, 2026 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djankows djankows djankows approved these changes

@daniel-kmiecik daniel-kmiecik Awaiting requested review from daniel-kmiecik

Assignees

@daniel-kmiecik daniel-kmiecik

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@djankows @daniel-kmiecik @ewaostrowska