Update dependency com.google.code.gson:gson to v2.8.9 [SECURITY] #2

Open

renovate-bot wants to merge 1 commit from renovate/maven-com.google.code.gson-gson-vulnerability into master

pull from: renovate/maven-com.google.code.gson-gson-vulnerability

merge into: MobiusReactor:master

MobiusReactor:master

MobiusReactor:renovate/com.formdev-flatlaf-extras-3.x

MobiusReactor:renovate/com.formdev-flatlaf-3.x

MobiusReactor:renovate/gradle-9.x

MobiusReactor:renovate/gradle-7.x

MobiusReactor:renovate/com.formdev-flatlaf-extras-1.x

MobiusReactor:renovate/com.formdev-flatlaf-1.x

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2025-08-21 21:30:31 +01:00

Collaborator

Copy link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.code.gson:gson	2.8.8 → 2.8.9

---

Deserialization of Untrusted Data in Gson

CVE-2022-25647 / GHSA-4jrv-ppp4-jm57

More information

Details

The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-25647
• https://github.com/google/gson/pull/1991
• https://github.com/google/gson/pull/1991/commits
• https://github.com/google/gson
• https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
• https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
• https://security.netapp.com/advisory/ntap-20220901-0009
• https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
• https://www.debian.org/security/2022/dsa-5227
• https://www.oracle.com/security-alerts/cpujul2022.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

google/gson (com.google.code.gson:gson)

v2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#​1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#​1986).
• Prevent Java deserialization of internal classes (#​1991).
• Improve number strategy implementation (#​1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#​1990).
• Support arbitrary Number implementation for Object and Number deserialization (#​1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#​1980).
• Don't exclude static local classes (#​1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#​1959).
• Improve Maven build (#​1964).
• Make dependency on java.sql optional (#​1707).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [com.google.code.gson:gson](https://github.com/google/gson) | `2.8.8` → `2.8.9` |  |  |  |  | --- ### Deserialization of Untrusted Data in Gson [CVE-2022-25647](https://nvd.nist.gov/vuln/detail/CVE-2022-25647) / [GHSA-4jrv-ppp4-jm57](https://github.com/advisories/GHSA-4jrv-ppp4-jm57) <details> <summary>More information</summary> #### Details The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks. #### Severity - CVSS Score: 7.7 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-25647](https://nvd.nist.gov/vuln/detail/CVE-2022-25647) - [https://github.com/google/gson/pull/1991](https://github.com/google/gson/pull/1991) - [https://github.com/google/gson/pull/1991/commits](https://github.com/google/gson/pull/1991/commits) - [https://github.com/google/gson](https://github.com/google/gson) - [https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html](https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html) - [https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html](https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html) - [https://security.netapp.com/advisory/ntap-20220901-0009](https://security.netapp.com/advisory/ntap-20220901-0009) - [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327](https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327) - [https://www.debian.org/security/2022/dsa-5227](https://www.debian.org/security/2022/dsa-5227) - [https://www.oracle.com/security-alerts/cpujul2022.html](https://www.oracle.com/security-alerts/cpujul2022.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4jrv-ppp4-jm57) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>google/gson (com.google.code.gson:gson)</summary> ### [`v2.8.9`](https://github.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289) - Make OSGi bundle's dependency on `sun.misc` optional ([#&#8203;1993](https://github.com/google/gson/pull/1993)). - Deprecate `Gson.excluder()` exposing internal `Excluder` class ([#&#8203;1986](https://github.com/google/gson/pull/1986)). - Prevent Java deserialization of internal classes ([#&#8203;1991](https://github.com/google/gson/pull/1991)). - Improve number strategy implementation ([#&#8203;1987](https://github.com/google/gson/pull/1987)). - Fix LongSerializationPolicy null handling being inconsistent with Gson ([#&#8203;1990](https://github.com/google/gson/pull/1990)). - Support arbitrary Number implementation for Object and Number deserialization ([#&#8203;1290](https://github.com/google/gson/pull/1290)). - Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([#&#8203;1980](https://github.com/google/gson/pull/1980)). - Don't exclude static local classes ([#&#8203;1969](https://github.com/google/gson/pull/1969)). - Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([#&#8203;1959](https://github.com/google/gson/pull/1959)). - Improve Maven build ([#&#8203;1964](https://github.com/google/gson/pull/1964)). - Make dependency on `java.sql` optional ([#&#8203;1707](https://github.com/google/gson/pull/1707)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJyZW5vdmF0ZSJdfQ==-->

renovate-bot added 1 commit 2025-08-21 21:30:31 +01:00

Update dependency com.google.code.gson:gson to v2.8.9 [SECURITY] 8306810af8

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/maven-com.google.code.gson-gson-vulnerability:renovate/maven-com.google.code.gson-gson-vulnerability

git switch renovate/maven-com.google.code.gson-gson-vulnerability

Merge

Merge the changes and update on Forgejo.

git switch master

git merge --no-ff renovate/maven-com.google.code.gson-gson-vulnerability

git switch renovate/maven-com.google.code.gson-gson-vulnerability

git rebase master

git switch master

git merge --ff-only renovate/maven-com.google.code.gson-gson-vulnerability

git switch renovate/maven-com.google.code.gson-gson-vulnerability

git rebase master

git switch master

git merge --no-ff renovate/maven-com.google.code.gson-gson-vulnerability

git switch master

git merge --squash renovate/maven-com.google.code.gson-gson-vulnerability

git switch master

git merge --ff-only renovate/maven-com.google.code.gson-gson-vulnerability

git switch master

git merge renovate/maven-com.google.code.gson-gson-vulnerability

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

MobiusReactor/AW-Map!2

No description provided.