Update dependency org.apache.commons:commons-fileupload2-core to v2.0.0-M4 [SECURITY] #143

Open

renovate-bot wants to merge 1 commit from renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability into main

pull from: renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

merge into: antville:main

antville:main

antville:renovate/gradle-9.x

antville:renovate/com.google.code.gson-gson-2.x

antville:renovate/jetty-packages

antville:renovate/actions-checkout-5.x

antville:renovate/commons-net-commons-net-3.x

antville:renovate/commons-codec-commons-codec-1.x

antville:renovate/gradle-8.x

antville:renovate/jakarta.servlet-jakarta.servlet-api-6.x

antville:clean-up-code-with-copilot

antville:renovate/major-github-artifact-actions

antville:helma-🐜

antville:renovate/major-lucene-packages

antville:renovate/lucene-packages

antville:gh-pages

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2025-10-02 21:14:02 +00:00

Collaborator

Copy link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.apache.commons:commons-fileupload2-core (source)	2.0.0-M2 -> 2.0.0-M4

---

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

CVE-2025-48976 / GHSA-vv7r-c36w-3prj

More information

Details

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-48976
• https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b
• https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497
• https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93
• https://github.com/apache/commons-fileupload
• https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
• http://www.openwall.com/lists/oss-security/2025/06/16/4

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.commons:commons-fileupload2-core](https://commons.apache.org/proper/commons-fileupload/) ([source](https://gitbox.apache.org/repos/asf?p=commons-fileupload.git)) | `2.0.0-M2` -> `2.0.0-M4` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers [CVE-2025-48976](https://nvd.nist.gov/vuln/detail/CVE-2025-48976) / [GHSA-vv7r-c36w-3prj](https://github.com/advisories/GHSA-vv7r-c36w-3prj) <details> <summary>More information</summary> #### Details Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-48976](https://nvd.nist.gov/vuln/detail/CVE-2025-48976) - [https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b](https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b) - [https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497](https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497) - [https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93](https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93) - [https://github.com/apache/commons-fileupload](https://github.com/apache/commons-fileupload) - [https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12](https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12) - [http://www.openwall.com/lists/oss-security/2025/06/16/4](http://www.openwall.com/lists/oss-security/2025/06/16/4) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vv7r-c36w-3prj) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjb3JlIiwicnVudGltZSIsInNlY3VyaXR5IiwidXJnZW50Il19-->

renovate-bot added the

core

runtime

security

urgent

labels 2025-10-02 21:14:02 +00:00

renovate-bot added 1 commit 2025-10-02 21:14:02 +00:00

Update dependency org.apache.commons:commons-fileupload2-core to v2.0.0-M4 [SECURITY] 98b402bc33

renovate-bot scheduled this pull request to auto merge when all checks succeed 2025-10-02 21:14:02 +00:00

Some checks failed

Hide all checks

Build / build (push) Failing after 48s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability:renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

Merge

Merge the changes and update on Forgejo.

git checkout main

git merge --no-ff renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git rebase main

git checkout main

git merge --ff-only renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git rebase main

git checkout main

git merge --no-ff renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout main

git merge --squash renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout main

git merge --ff-only renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git checkout main

git merge renovate/maven-org.apache.commons-commons-fileupload2-core-vulnerability

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

blocker

  

core

  

dependency

Pull request that updates a dependency file

  

major

  

needs-work

  

runtime

  

security

  

urgent

No labels

blocker

core

dependency

major

needs-work

runtime

security

urgent

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: antville/helma#143

No description provided.