Skip to content
This repository was archived by the owner on Mar 5, 2026. It is now read-only.
This repository was archived by the owner on Mar 5, 2026. It is now read-only.

Security: dependency updates needed for multiple HIGH CVEs #182

Description

@barbuitenhuis

Context

We use openFHIR as our FHIR↔openEHR bridge (built from main branch). A Trivy scan on our deployment reveals 12 HIGH CVEs in bundled dependencies (0 CRITICAL after our Feb 25 rebuild).

Affected Dependencies

Tomcat (3 HIGH CVEs — DoS & path traversal)

CVE Installed Fixed in
CVE-2025-48988 10.1.35 10.1.42
CVE-2025-48989 10.1.35 10.1.44
CVE-2025-55752 10.1.35 10.1.45

Spring Boot / Spring Framework (4 HIGH CVEs)

CVE Library Installed Fixed in
CVE-2025-22235 spring-boot 3.3.2 3.3.11
CVE-2025-41249 spring-core 6.1.11 6.2.11
CVE-2024-38816 spring-webmvc 6.1.11 6.1.13
CVE-2024-38819 spring-webmvc 6.1.11 6.1.14

FHIR Core / Utilities (3 HIGH CVEs — XXE)

CVE Library Installed Fixed in
CVE-2024-45294 org.hl7.fhir.r4 6.1.2.2 6.3.23
CVE-2024-51132 org.hl7.fhir.r4 6.1.2.2 6.4.0
CVE-2024-52007 org.hl7.fhir.utilities 6.1.2.2 6.4.0

Other

CVE Library Installed Fixed in
CVE-2024-55887 ucum 1.0.8 1.0.9
CVE-2024-57699 json-smart 2.5.1 2.5.2

Suggested Fix

Bump Spring Boot to 3.3.11+ (pulls in Tomcat 10.1.45+ and Spring Framework 6.1.14+ transitively), update FHIR core to 6.4.0+, and bump ucum + json-smart.

Environment

  • Trivy v0.69
  • openFHIR built from main branch (commit ~36353671)
  • Scan date: 2026-02-27

Thank you for maintaining openFHIR!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions