From e01d90a83f3238825c7131147371f09231ff3ff2 Mon Sep 17 00:00:00 2001
From: ventusfortis <arkomissar@gmail.com>
Date: Thu, 12 Feb 2026 10:15:42 +0000
Subject: [PATCH] Update dependencies versions to remediate CVEs

---
 build.sbt              | 8 ++++++++
 project/Versions.scala | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/build.sbt b/build.sbt
index c0d3731167fe..1b15bd5d80eb 100644
--- a/build.sbt
+++ b/build.sbt
@@ -56,6 +56,14 @@ ThisBuild / libraryDependencies ++= Seq(
   // `Optional` means "not transitive", but still included in "stage/lib"
 )
 
+// CVE remediation - override vulnerable transitive dependencies (see https://github.com/joernio/joern/issues/5781)
+ThisBuild / dependencyOverrides ++= Seq(
+  "com.google.protobuf"  % "protobuf-java"  % Versions.protobuf,
+  "org.msgpack"          % "msgpack-core"   % Versions.msgpack,
+  "io.undertow"          % "undertow-core"  % Versions.undertow,
+  "com.squareup.okhttp3" % "okhttp"         % Versions.okhttp
+)
+
 ThisBuild / compile / javacOptions ++= Seq(
   "-g", // debug symbols
   "-Xlint",
diff --git a/project/Versions.scala b/project/Versions.scala
index 58fe9dc16493..9fc8c5003a48 100644
--- a/project/Versions.scala
+++ b/project/Versions.scala
@@ -52,6 +52,12 @@ object Versions {
   val zip4j          = "2.11.5"
   val asm            = "9.7.1"
 
+  // CVE remediation - override versions for vulnerable transitive deps (see https://github.com/joernio/joern/issues/5781)
+  val protobuf       = "3.25.5"
+  val msgpack        = "0.9.11"
+  val undertow       = "2.3.20.Final"
+  val okhttp         = "4.9.2"
+
   private def parseVersion(key: String): String = {
     val versionRegexp = s""".*val $key[ ]+=[ ]?"(.*?)"""".r
     val versions: List[String] = scala.io.Source