[Snyk] Fix for 2 vulnerabilities

[lgrill-pentaho]

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• plugins/streaming/impls/jms/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Validation of Specified Quantity in Input SNYK-JAVA-IONETTY-8707740	131	io.netty:netty-codec: 4.1.108.Final -> 4.1.118.Final io.netty:netty-codec-http: 4.1.108.Final -> 4.1.118.Final io.netty:netty-handler: 4.1.108.Final -> 4.1.118.Final io.netty:netty-transport-native-epoll: 4.1.108.Final -> 4.1.118.Final io.netty:netty-transport-native-kqueue: 4.1.108.Final -> 4.1.118.Final Proof of Concept
	Improper Validation of Specified Quantity in Input SNYK-JAVA-IONETTY-8707739	125	io.netty:netty-codec-http: 4.1.108.Final -> 4.1.118.Final io.netty:netty-handler: 4.1.108.Final -> 4.1.118.Final No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[hitachivantarasonarqube]

Analysis Details

0 Issues

• 0 Bugs
• 0 Vulnerabilities
• 0 Code Smells

Coverage and Duplications

• No coverage information (28.50% Estimated after merge)
• 0.00% Duplicated Code (0.00% Estimated after merge)

Project ID: org.pentaho.di:pdi

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Medium	io.netty:netty-codec-http:4.1.118.Final org.pentaho.di.plugins:pentaho-streaming-jms-plugin:10.3.0.0-SNAPSHOT	io.netty:netty-common 4.1.118.Final	-	CVE-2025-25193

🔬 Research Details

Description:
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot