From a771e7a2a1f76bb11525c278a74f352dfc7670c2 Mon Sep 17 00:00:00 2001
From: Tsvetoslav Tsekov <129774811+tsekovTriesCoding@users.noreply.github.com>
Date: Wed, 18 Mar 2026 16:15:51 +0200
Subject: [PATCH] fix: patch backend dependency vulnerabilities

- Bump Spring Boot 4.0.2 -> 4.0.3 (fixes Jackson, Tomcat, AssertJ transitives)
- Bump Spring Cloud 2025.1.0 -> 2025.1.1 (fixes Eureka/httpclient transitives)
- Bump MySQL Connector/J 8.3.0 -> 8.4.0
- Bump Testcontainers 2.0.0 -> 2.0.3
- Bump springdoc 2.8.6 -> 3.0.2 (Spring Boot 4 compatible line)
- Bump JJWT 0.12.6 -> 0.12.7, centralized in parent POM
- Bump Cloudinary 2.0.0 -> 2.3.2, centralized in parent POM
- Override Jackson BOMs 2.20.2 -> 2.21.1 / 3.0.4 -> 3.1.0 (CVE-2026-29062)
- Override Kafka 4.1.1 -> 4.1.2 (CVE-2025-48734)
- Override lz4-java -> 1.8.1, protobuf-java -> 4.34.0 (transitive CVE fixes)
- Update README badges and tech stack versions
---
 README.md                    | 14 ++++-----
 backend/api-gateway/pom.xml  |  3 --
 backend/auth-service/pom.xml |  3 --
 backend/pom.xml              | 56 ++++++++++++++++++++++++++++++++----
 backend/user-service/pom.xml |  1 -
 5 files changed, 58 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 82f2d34..fe349f8 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,11 @@
 # FinPay Platform
 
 ![Java](https://img.shields.io/badge/Java-25-orange?style=flat-square&logo=openjdk&logoColor=white)
-![Spring Boot](https://img.shields.io/badge/Spring%20Boot-4.0.2-brightgreen?style=flat-square&logo=springboot&logoColor=white)
+![Spring Boot](https://img.shields.io/badge/Spring%20Boot-4.0.3-brightgreen?style=flat-square&logo=springboot&logoColor=white)
 ![React](https://img.shields.io/badge/React-19-blue?style=flat-square&logo=react&logoColor=white)
 ![TypeScript](https://img.shields.io/badge/TypeScript-5.7-3178C6?style=flat-square&logo=typescript&logoColor=white)
 ![Apache Kafka](https://img.shields.io/badge/Kafka-KRaft-231F20?style=flat-square&logo=apachekafka&logoColor=white)
-![MySQL](https://img.shields.io/badge/MySQL-8.0-4479A1?style=flat-square&logo=mysql&logoColor=white)
+![MySQL](https://img.shields.io/badge/MySQL-8.4-4479A1?style=flat-square&logo=mysql&logoColor=white)
 ![Redis](https://img.shields.io/badge/Redis-7-DC382D?style=flat-square&logo=redis&logoColor=white)
 ![Docker](https://img.shields.io/badge/Docker-Ready-2496ED?style=flat-square&logo=docker&logoColor=white)
 ![License](https://img.shields.io/badge/License-MIT-yellow?style=flat-square)
@@ -100,20 +100,20 @@ graph TB
 ### Backend
 | Layer | Technology |
 |-------|-----------|
-| Framework | Spring Boot 4.0.2, Spring Cloud 2025.1.0 |
+| Framework | Spring Boot 4.0.3, Spring Cloud 2025.1.1 |
 | Language | Java 25 |
 | Database | MySQL 8.0 (database-per-service) |
 | Messaging | Apache Kafka (KRaft mode, no Zookeeper) |
 | Caching | Redis 7 (sessions, rate limiting, idempotency, analytics) |
-| Auth | JWT (JJWT 0.12.6), OAuth2 (Google, GitHub), BCrypt, HTTP-only cookies |
-| API Docs | SpringDoc OpenAPI 2.8.6, aggregated at the gateway |
+| Auth | JWT (JJWT 0.12.7), OAuth2 (Google, GitHub), BCrypt, HTTP-only cookies |
+| API Docs | SpringDoc OpenAPI 3.0.2, aggregated at the gateway |
 | Resilience | Resilience4j circuit breakers, Spring Retry with exponential backoff |
 | Mapping | MapStruct 1.6.3, Lombok |
 | Tracing | OpenTelemetry + Zipkin (100% sampling) |
 | Metrics | Micrometer → Prometheus → Grafana |
 | Email | Spring Mail + Thymeleaf HTML templates |
-| Image Upload | Cloudinary 2.0.0 |
-| Testing | JUnit 5, Testcontainers 2.0.0 (MySQL, Kafka, Redis) |
+| Image Upload | Cloudinary 2.3.2 |
+| Testing | JUnit 5, Testcontainers 2.0.3 (MySQL, Kafka, Redis) |
 
 ### Frontend
 | Layer | Technology |
diff --git a/backend/api-gateway/pom.xml b/backend/api-gateway/pom.xml
index c880bdd..e443ca2 100644
--- a/backend/api-gateway/pom.xml
+++ b/backend/api-gateway/pom.xml
@@ -48,18 +48,15 @@
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-api</artifactId>
-            <version>0.12.6</version>
         </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-impl</artifactId>
-            <version>0.12.6</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-jackson</artifactId>
-            <version>0.12.6</version>
             <scope>runtime</scope>
         </dependency>
 
diff --git a/backend/auth-service/pom.xml b/backend/auth-service/pom.xml
index b704ee8..31926ec 100644
--- a/backend/auth-service/pom.xml
+++ b/backend/auth-service/pom.xml
@@ -48,18 +48,15 @@
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-api</artifactId>
-            <version>0.12.6</version>
         </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-impl</artifactId>
-            <version>0.12.6</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-jackson</artifactId>
-            <version>0.12.6</version>
             <scope>runtime</scope>
         </dependency>
 
diff --git a/backend/pom.xml b/backend/pom.xml
index 6527c85..bc39e5a 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>4.0.2</version>
+        <version>4.0.3</version>
         <relativePath/>
     </parent>
 
@@ -30,13 +30,23 @@
 
     <properties>
         <java.version>25</java.version>
-        <spring-cloud.version>2025.1.0</spring-cloud.version>
-        <mysql.version>8.3.0</mysql.version>
+        <spring-cloud.version>2025.1.1</spring-cloud.version>
+        <mysql.version>8.4.0</mysql.version>
         <mapstruct.version>1.6.3</mapstruct.version>
         <lombok-mapstruct-binding.version>0.2.0</lombok-mapstruct-binding.version>
         <spring-dotenv.version>5.1.0</spring-dotenv.version>
-        <testcontainers.version>2.0.0</testcontainers.version>
-        <springdoc.version>2.8.6</springdoc.version>
+        <testcontainers.version>2.0.3</testcontainers.version>
+        <springdoc.version>3.0.2</springdoc.version>
+        <jjwt.version>0.12.7</jjwt.version>
+        <cloudinary.version>2.3.2</cloudinary.version>
+        <!-- Transitive overrides - upstream (Eureka / MySQL driver) still pulls vulnerable versions -->
+        <lz4-java.version>1.8.1</lz4-java.version>
+        <protobuf-java.version>4.34.0</protobuf-java.version>
+        <!-- Jackson CVE-2026-29062: nesting depth bypass in UTF8DataInputJsonParser - Boot 4.0.3 ships 2.20.2/3.0.4 -->
+        <jackson-2-bom.version>2.21.1</jackson-2-bom.version>
+        <jackson-bom.version>3.1.0</jackson-bom.version>
+        <!-- Kafka CVE-2025-48734: Boot 4.0.3 ships 4.1.1, fix in 4.1.2 -->
+        <kafka.version>4.1.2</kafka.version>
     </properties>
 
     <dependencyManagement>
@@ -79,6 +89,42 @@
                 <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
                 <version>${springdoc.version}</version>
             </dependency>
+
+            <!-- JJWT (centralized for auth-service & api-gateway) -->
+            <dependency>
+                <groupId>io.jsonwebtoken</groupId>
+                <artifactId>jjwt-api</artifactId>
+                <version>${jjwt.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.jsonwebtoken</groupId>
+                <artifactId>jjwt-impl</artifactId>
+                <version>${jjwt.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.jsonwebtoken</groupId>
+                <artifactId>jjwt-jackson</artifactId>
+                <version>${jjwt.version}</version>
+            </dependency>
+
+            <!-- Cloudinary (centralized for user-service) -->
+            <dependency>
+                <groupId>com.cloudinary</groupId>
+                <artifactId>cloudinary-http5</artifactId>
+                <version>${cloudinary.version}</version>
+            </dependency>
+
+            <!-- Transitive overrides - CVE fixes not yet released by upstream -->
+            <dependency>
+                <groupId>org.lz4</groupId>
+                <artifactId>lz4-java</artifactId>
+                <version>${lz4-java.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>${protobuf-java.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
diff --git a/backend/user-service/pom.xml b/backend/user-service/pom.xml
index e6b497b..6dee0fe 100644
--- a/backend/user-service/pom.xml
+++ b/backend/user-service/pom.xml
@@ -73,7 +73,6 @@
         <dependency>
             <groupId>com.cloudinary</groupId>
             <artifactId>cloudinary-http5</artifactId>
-            <version>2.0.0</version>
         </dependency>
 
         <!-- Kafka Test -->