CVE 2025 48924 release (#809)

Co-authored-by: Dmitriy Tverdiakov <11927660+injectives@users.noreply.github.com>
Co-authored-by: Louise Berglund <louise.berglund@neo4j.com>

Author: 3 people

LICENSES.txt

@@ -24,9 +24,9 @@ Apache-2.0
   aws-java-sdk-core-1.12.643.jar
   aws-java-sdk-kms-1.12.643.jar
   aws-java-sdk-s3-1.12.643.jar
-  byte-buddy-1.15.11.jar
-  byte-buddy-agent-1.15.11.jar
-  caffeine-3.2.0.jar
+  byte-buddy-1.17.5.jar
+  byte-buddy-agent-1.17.5.jar
+  caffeine-3.2.1.jar
   cassandra-driver-core-3.10.0.jar
   commons-beanutils-1.9.4.jar
   commons-cli-1.5.0.jar
@@ -37,6 +37,8 @@ Apache-2.0
   commons-csv-1.9.0.jar
   commons-daemon-1.0.13.jar
   commons-io-2.19.0.jar
+  commons-lang-2.6.jar
+  commons-lang3-3.17.0.jar
   commons-lang3-3.18.0.jar
   commons-logging-1.3.5.jar
   commons-math3-3.6.1.jar
@@ -121,24 +123,24 @@ Apache-2.0
   jcip-annotations-1.0-1.jar
   jctools-core-4.0.5.jar
   jettison-1.5.4.jar
-  jetty-alpn-java-server-12.0.16.jar
-  jetty-alpn-server-12.0.16.jar
-  jetty-ee-12.0.16.jar
-  jetty-ee8-nested-12.0.16.jar
-  jetty-ee8-security-12.0.16.jar
-  jetty-ee8-servlet-12.0.16.jar
-  jetty-ee8-webapp-12.0.16.jar
-  jetty-http-12.0.16.jar
-  jetty-http2-common-12.0.16.jar
-  jetty-http2-hpack-12.0.16.jar
-  jetty-http2-server-12.0.16.jar
-  jetty-io-12.0.16.jar
-  jetty-security-12.0.16.jar
-  jetty-server-12.0.16.jar
+  jetty-alpn-java-server-12.0.17.jar
+  jetty-alpn-server-12.0.17.jar
+  jetty-ee-12.0.17.jar
+  jetty-ee8-nested-12.0.17.jar
+  jetty-ee8-security-12.0.17.jar
+  jetty-ee8-servlet-12.0.17.jar
+  jetty-ee8-webapp-12.0.17.jar
+  jetty-http-12.0.17.jar
+  jetty-http2-common-12.0.17.jar
+  jetty-http2-hpack-12.0.17.jar
+  jetty-http2-server-12.0.17.jar
+  jetty-io-12.0.17.jar
+  jetty-security-12.0.17.jar
+  jetty-server-12.0.17.jar
   jetty-servlet-api-4.0.6.jar
-  jetty-session-12.0.16.jar
-  jetty-util-12.0.16.jar
-  jetty-xml-12.0.16.jar
+  jetty-session-12.0.17.jar
+  jetty-util-12.0.17.jar
+  jetty-xml-12.0.17.jar
   jffi-1.2.16-native.jar
   jffi-1.2.16.jar
   jmespath-java-1.12.643.jar
@@ -239,7 +241,7 @@ Apache-2.0
   perfmark-api-0.27.0.jar
   picocli-4.7.7.jar
   proto-google-common-protos-2.51.0.jar
-  reactor-core-3.6.16.jar
+  reactor-core-3.6.18.jar
   reload4j-1.2.22.jar
   scala-collection-contrib_2.13-0.3.0.jar
   scala-library-2.13.16.jar
@@ -2222,14 +2224,14 @@ Eclipse Public License - v 2.0
   jersey-container-servlet-core-2.43.jar
   jersey-hk2-2.43.jar
   jersey-server-2.43.jar
-  junit-jupiter-5.12.2.jar
-  junit-jupiter-api-5.12.2.jar
-  junit-jupiter-engine-5.12.2.jar
-  junit-jupiter-params-5.12.2.jar
-  junit-platform-commons-1.12.2.jar
-  junit-platform-engine-1.12.2.jar
-  junit-platform-launcher-1.12.2.jar
-  junit-platform-testkit-1.12.2.jar
+  junit-jupiter-5.13.1.jar
+  junit-jupiter-api-5.13.1.jar
+  junit-jupiter-engine-5.13.1.jar
+  junit-jupiter-params-5.13.1.jar
+  junit-platform-commons-1.13.1.jar
+  junit-platform-engine-1.13.1.jar
+  junit-platform-launcher-1.13.1.jar
+  junit-platform-testkit-1.13.1.jar
   osgi-resource-locator-1.0.3.jar
 ------------------------------------------------------------------------------
 
@@ -2910,11 +2912,11 @@ and/or involve the use of third party software.
 ------------------------------------------------------------------------------
 MIT
   bcpkix-jdk15on-1.70.jar
-  bcpkix-jdk18on-1.80.jar
+  bcpkix-jdk18on-1.81.jar
   bcprov-jdk15on-1.70.jar
-  bcprov-jdk18on-1.80.jar
+  bcprov-jdk18on-1.81.jar
   bcutil-jdk15on-1.70.jar
-  bcutil-jdk18on-1.80.jar
+  bcutil-jdk18on-1.81.jar
   cassandra-1.20.2.jar
   checker-qual-3.43.0.jar
   couchbase-1.20.2.jar
@@ -2928,7 +2930,7 @@ MIT
   jersey-hk2-2.43.jar
   jnr-x86asm-1.0.2.jar
   localstack-1.20.2.jar
-  mockito-core-5.17.0.jar
+  mockito-core-5.18.0.jar
   mssql-jdbc-6.2.1.jre7.jar
   mysql-1.20.2.jar
   neo4j-1.20.2.jar

NOTICE.txt

@@ -54,9 +54,9 @@ Apache-2.0
   aws-java-sdk-core-1.12.643.jar
   aws-java-sdk-kms-1.12.643.jar
   aws-java-sdk-s3-1.12.643.jar
-  byte-buddy-1.15.11.jar
-  byte-buddy-agent-1.15.11.jar
-  caffeine-3.2.0.jar
+  byte-buddy-1.17.5.jar
+  byte-buddy-agent-1.17.5.jar
+  caffeine-3.2.1.jar
   cassandra-driver-core-3.10.0.jar
   commons-beanutils-1.9.4.jar
   commons-cli-1.5.0.jar
@@ -67,6 +67,8 @@ Apache-2.0
   commons-csv-1.9.0.jar
   commons-daemon-1.0.13.jar
   commons-io-2.19.0.jar
+  commons-lang-2.6.jar
+  commons-lang3-3.17.0.jar
   commons-lang3-3.18.0.jar
   commons-logging-1.3.5.jar
   commons-math3-3.6.1.jar
@@ -151,24 +153,24 @@ Apache-2.0
   jcip-annotations-1.0-1.jar
   jctools-core-4.0.5.jar
   jettison-1.5.4.jar
-  jetty-alpn-java-server-12.0.16.jar
-  jetty-alpn-server-12.0.16.jar
-  jetty-ee-12.0.16.jar
-  jetty-ee8-nested-12.0.16.jar
-  jetty-ee8-security-12.0.16.jar
-  jetty-ee8-servlet-12.0.16.jar
-  jetty-ee8-webapp-12.0.16.jar
-  jetty-http-12.0.16.jar
-  jetty-http2-common-12.0.16.jar
-  jetty-http2-hpack-12.0.16.jar
-  jetty-http2-server-12.0.16.jar
-  jetty-io-12.0.16.jar
-  jetty-security-12.0.16.jar
-  jetty-server-12.0.16.jar
+  jetty-alpn-java-server-12.0.17.jar
+  jetty-alpn-server-12.0.17.jar
+  jetty-ee-12.0.17.jar
+  jetty-ee8-nested-12.0.17.jar
+  jetty-ee8-security-12.0.17.jar
+  jetty-ee8-servlet-12.0.17.jar
+  jetty-ee8-webapp-12.0.17.jar
+  jetty-http-12.0.17.jar
+  jetty-http2-common-12.0.17.jar
+  jetty-http2-hpack-12.0.17.jar
+  jetty-http2-server-12.0.17.jar
+  jetty-io-12.0.17.jar
+  jetty-security-12.0.17.jar
+  jetty-server-12.0.17.jar
   jetty-servlet-api-4.0.6.jar
-  jetty-session-12.0.16.jar
-  jetty-util-12.0.16.jar
-  jetty-xml-12.0.16.jar
+  jetty-session-12.0.17.jar
+  jetty-util-12.0.17.jar
+  jetty-xml-12.0.17.jar
   jffi-1.2.16-native.jar
   jffi-1.2.16.jar
   jmespath-java-1.12.643.jar
@@ -269,7 +271,7 @@ Apache-2.0
   perfmark-api-0.27.0.jar
   picocli-4.7.7.jar
   proto-google-common-protos-2.51.0.jar
-  reactor-core-3.6.16.jar
+  reactor-core-3.6.18.jar
   reload4j-1.2.22.jar
   scala-collection-contrib_2.13-0.3.0.jar
   scala-library-2.13.16.jar
@@ -380,23 +382,23 @@ Eclipse Public License - Version 1.0
   jetty-servlet-api-4.0.6.jar
 
 Eclipse Public License - Version 2.0
-  jetty-alpn-java-server-12.0.16.jar
-  jetty-alpn-server-12.0.16.jar
-  jetty-ee-12.0.16.jar
-  jetty-ee8-nested-12.0.16.jar
-  jetty-ee8-security-12.0.16.jar
-  jetty-ee8-servlet-12.0.16.jar
-  jetty-ee8-webapp-12.0.16.jar
-  jetty-http-12.0.16.jar
-  jetty-http2-common-12.0.16.jar
-  jetty-http2-hpack-12.0.16.jar
-  jetty-http2-server-12.0.16.jar
-  jetty-io-12.0.16.jar
-  jetty-security-12.0.16.jar
-  jetty-server-12.0.16.jar
-  jetty-session-12.0.16.jar
-  jetty-util-12.0.16.jar
-  jetty-xml-12.0.16.jar
+  jetty-alpn-java-server-12.0.17.jar
+  jetty-alpn-server-12.0.17.jar
+  jetty-ee-12.0.17.jar
+  jetty-ee8-nested-12.0.17.jar
+  jetty-ee8-security-12.0.17.jar
+  jetty-ee8-servlet-12.0.17.jar
+  jetty-ee8-webapp-12.0.17.jar
+  jetty-http-12.0.17.jar
+  jetty-http2-common-12.0.17.jar
+  jetty-http2-hpack-12.0.17.jar
+  jetty-http2-server-12.0.17.jar
+  jetty-io-12.0.17.jar
+  jetty-security-12.0.17.jar
+  jetty-server-12.0.17.jar
+  jetty-session-12.0.17.jar
+  jetty-util-12.0.17.jar
+  jetty-xml-12.0.17.jar
 
 Eclipse Public License - v 1.0
   eclipse-collections-11.1.0.jar
@@ -420,14 +422,14 @@ Eclipse Public License - v 2.0
   jersey-container-servlet-core-2.43.jar
   jersey-hk2-2.43.jar
   jersey-server-2.43.jar
-  junit-jupiter-5.12.2.jar
-  junit-jupiter-api-5.12.2.jar
-  junit-jupiter-engine-5.12.2.jar
-  junit-jupiter-params-5.12.2.jar
-  junit-platform-commons-1.12.2.jar
-  junit-platform-engine-1.12.2.jar
-  junit-platform-launcher-1.12.2.jar
-  junit-platform-testkit-1.12.2.jar
+  junit-jupiter-5.13.1.jar
+  junit-jupiter-api-5.13.1.jar
+  junit-jupiter-engine-5.13.1.jar
+  junit-jupiter-params-5.13.1.jar
+  junit-platform-commons-1.13.1.jar
+  junit-platform-engine-1.13.1.jar
+  junit-platform-launcher-1.13.1.jar
+  junit-platform-testkit-1.13.1.jar
   osgi-resource-locator-1.0.3.jar
 
 GNU General Public License (GPL), version 2, with the Classpath exception
@@ -473,11 +475,11 @@ LGPL-2.1-or-later
 
 MIT
   bcpkix-jdk15on-1.70.jar
-  bcpkix-jdk18on-1.80.jar
+  bcpkix-jdk18on-1.81.jar
   bcprov-jdk15on-1.70.jar
-  bcprov-jdk18on-1.80.jar
+  bcprov-jdk18on-1.81.jar
   bcutil-jdk15on-1.70.jar
-  bcutil-jdk18on-1.80.jar
+  bcutil-jdk18on-1.81.jar
   cassandra-1.20.2.jar
   checker-qual-3.43.0.jar
   couchbase-1.20.2.jar
@@ -491,7 +493,7 @@ MIT
   jersey-hk2-2.43.jar
   jnr-x86asm-1.0.2.jar
   localstack-1.20.2.jar
-  mockito-core-5.17.0.jar
+  mockito-core-5.18.0.jar
   mssql-jdbc-6.2.1.jre7.jar
   mysql-1.20.2.jar
   neo4j-1.20.2.jar

common/build.gradle

@@ -60,6 +60,9 @@ dependencies {
         api('net.minidev:json-smart:2.5.2') {
             because 'CVE-2024-57699'
         }
+        api('org.apache.commons:commons-lang3:3.18.0') {
+            because 'CVE-2025-48924'
+        }
     }
 
     configurations.configureEach {

it/src/test/java/apoc/it/core/ExportCypherEnterpriseFeaturesTest.java

@@ -59,31 +59,17 @@ public static void afterAll() {
     }
 
     private static void beforeTwoLabelsWithOneCompoundConstraintEach() {
-        session.writeTransaction(tx -> {
-            tx.run("CREATE CONSTRAINT compositeBase FOR (t:Base) REQUIRE (t.tenantId, t.id) IS NODE KEY");
-            tx.commit();
-            return null;
-        });
-        session.writeTransaction(tx -> {
-            tx.run("CREATE (a:Person:Base {name: 'Phil', surname: 'Meyer', tenantId: 'neo4j', id: 'waBfk3z'}) "
-                    + "CREATE (b:Person:Base {name: 'Silvia', surname: 'Jones', tenantId: 'random', id: 'waBfk3z'}) "
-                    + "CREATE (a)-[:KNOWS {foo:2}]->(b)");
-            tx.commit();
-            return null;
-        });
+        session.executeWriteWithoutResult(
+                tx -> tx.run("CREATE CONSTRAINT compositeBase FOR (t:Base) REQUIRE (t.tenantId, t.id) IS NODE KEY"));
+        session.executeWriteWithoutResult(tx ->
+                tx.run("CREATE (a:Person:Base {name: 'Phil', surname: 'Meyer', tenantId: 'neo4j', id: 'waBfk3z'}) "
+                        + "CREATE (b:Person:Base {name: 'Silvia', surname: 'Jones', tenantId: 'random', id: 'waBfk3z'}) "
+                        + "CREATE (a)-[:KNOWS {foo:2}]->(b)"));
     }
 
     private static void afterTwoLabelsWithOneCompoundConstraintEach() {
-        session.writeTransaction(tx -> {
-            tx.run("MATCH (a:Person:Base) DETACH DELETE a");
-            tx.commit();
-            return null;
-        });
-        session.writeTransaction(tx -> {
-            tx.run("DROP CONSTRAINT compositeBase");
-            tx.commit();
-            return null;
-        });
+        session.executeWriteWithoutResult(tx -> tx.run("MATCH (a:Person:Base) DETACH DELETE a"));
+        session.executeWriteWithoutResult(tx -> tx.run("DROP CONSTRAINT compositeBase"));
     }
 
     @Test