3.4 - Security fixes
Security fixes provided in 3.4.4-funcrel
| CAST service | CVE | Severity | Description | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2025-41249 | HIGH | org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability | 3.4.1-funcrel |
| admin-center | CVE-2025-48989 | HIGH | tomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames | 3.4.1-funcrel |
| admin-center | CVE-2025-55163 | HIGH | netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability | 3.4.1-funcrel |
| auth | CVE-2025-41248 | HIGH | org.springframework.security/spring-security-core: Spring Security authorization bypass | 3.4.1-funcrel |
| auth | CVE-2025-41249 | HIGH | org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability | 3.4.1-funcrel |
| auth | CVE-2025-55163 | HIGH | netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability | 3.4.1-funcrel |
| console | CVE-2025-55163 | HIGH | netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability | 3.4.1-funcrel |
| dashboards | CVE-2025-41249 | HIGH | org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability | 3.4.1-funcrel |
| dashboards | CVE-2025-48989 | HIGH | tomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames | 3.4.1-funcrel |
| neo4j | CVE-2025-5115 | HIGH | jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to “MadeYouReset” DoS attack through HTTP/2 control frames | 3.4.4 |
| node | CVE-2025-48989 | HIGH | tomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames | 3.4.1-funcrel |
| sso-service | CVE-2025-41249 | HIGH | org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability | 3.4.1-funcrel |
| sso-service | CVE-2025-55163 | HIGH | netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability | 3.4.1-funcrel |
| viewer | CVE-2025-22868 | HIGH | golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws | 3.4.1-funcrel |
| viewer | CVE-2025-22869 | HIGH | golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh | 3.4.1-funcrel |
| viewer | CVE-2025-22874 | HIGH | crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509 | 3.4.1-funcrel |
| viewer | CVE-2025-47907 | HIGH | database/sql: Postgres Scan Race Condition | 3.4.1-funcrel |
| viewer | CVE-2025-6984 | HIGH | langchain-community: Langchain-community insecure XML parsing | 3.4.1-funcrel |
Security fixes provided in 3.4.1-funcrel
| CAST service | CVE | Severity | Description | Affected CAST release |
|---|---|---|---|---|
| analysis-node | CVE-2021-3572 | HIGH | python-pip: Incorrect handling of unicode separators in git references | 3.4.0-funcrel |
| analysis-node | CVE-2022-40897 | HIGH | pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py | 3.4.0-funcrel |
| analysis-node | CVE-2022-41404 | HIGH | org.ini4j: unspecified DoS | 3.4.0-funcrel |
| analysis-node | CVE-2024-6345 | HIGH | pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools | 3.4.0-funcrel |
| analysis-node | CVE-2025-47273 | HIGH | setuptools: Path Traversal Vulnerability in setuptools PackageIndex | 3.4.0-funcrel |
| dashboards | CVE-2022-41404 | HIGH | org.ini4j: unspecified DoS | 3.4.0-funcrel |
| sso-service | CVE-2025-49146 | HIGH | pgjdbc: pgjdbc insecure authentication in channel binding | 3.4.0-funcrel |
Security fixes provided in 3.4.0-funcrel
| CAST service | CVE | Description | Affected CAST release |
|---|---|---|---|
| admin-center | CVE-2025-48988 | tomcat: Apache Tomcat DoS in multipart upload | 3.3.0-funcrel |
| admin-center | CVE-2025-49146 | pgjdbc: pgjdbc insecure authentication in channel binding | 3.3.0-funcrel |
| analysis-node | CVE-2025-48734 | commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum’s declaredClass property by default | 3.3.0-funcrel |
| analysis-node | CVE-2025-48988 | tomcat: Apache Tomcat DoS in multipart upload | 3.3.0-funcrel |
| analysis-node | CVE-2025-49146 | pgjdbc: pgjdbc insecure authentication in channel binding | 3.3.0-funcrel |
| auth-service | CVE-2025-41235 | Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies | 3.3.0-funcrel |
| console | CVE-2025-41235 | Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies | 3.3.0-funcrel |
| dashboards | CVE-2025-22235 | org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed | 3.3.0-funcrel |
| dashboards | CVE-2025-48988 | tomcat: Apache Tomcat DoS in multipart upload | 3.3.0-funcrel |
| dashboards | CVE-2025-49146 | pgjdbc: pgjdbc insecure authentication in channel binding | 3.3.0-funcrel |
| gateway | CVE-2025-41235 | Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies | 3.3.0-funcrel |
| gateway | CVE-2025-48988 | tomcat: Apache Tomcat DoS in multipart upload | 3.3.0-funcrel |
| imaging-viewer | CVE-2025-4565 | python-protobuf: Unbounded recursion in Python Protobuf | 3.3.0-funcrel |
| neo4j | CVE-2025-1948 | jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability | 3.3.0-funcrel |
| sso-service | CVE-2025-3501 | org.keycloak.protocol.services: Keycloak hostname verification | 3.3.0-funcrel |