Describe the issue
Our project is using org.springframework.ai:spring-a-starter-vector-store-milvus:1.1.8 and a vulnerability scan reports that its transitive dependency io.grpc:grpc-netty-shaded:1.59.1 is affected by CVE-2025-55163 (Score: 7.5).
Vulnerability Details
- CVE: CVE-2025-55163
- Description: Netty, which is shaded by
grpc-netty-shaded, is vulnerable to a "MadeYouReset" DDoS attack. The vulnerability allows resource exhaustion by using malformed HTTP/2 control frames to break the max concurrent streams limit .
- Affected Dependency:
io.grpc:grpc-netty-shaded:1.59.1
- Fixed Version:
io.grpc:grpc-netty-shaded:1.75.0
Dependency Tree (Relevant Part)
Here's the relevant dependency path from our build:
maven:org.springframework:spring-a-starter-vector-store-milvus:1.1.8
└─ maven:io.milvus:milvus-sdk-java:2.5.8
└─ maven:io.grpc:grpc-netty-shaded:1.59.1 (vulnerable)
Proposed Solution
Could the Spring AI team consider bumping the version of io.milvus:milvus-sdk-java or overriding the grpc-netty-shaded dependency to version 1.75.0 or later in a future patch release? This would resolve the vulnerability for all downstream projects.
Additional Context
- Spring AI Version:
1.1.8
- Milvus SDK Version:
2.5.8
- Build Tool: Maven
Thank you for your attention to this security matter.
Describe the issue
Our project is using
org.springframework.ai:spring-a-starter-vector-store-milvus:1.1.8and a vulnerability scan reports that its transitive dependencyio.grpc:grpc-netty-shaded:1.59.1is affected by CVE-2025-55163 (Score: 7.5).Vulnerability Details
grpc-netty-shaded, is vulnerable to a "MadeYouReset" DDoS attack. The vulnerability allows resource exhaustion by using malformed HTTP/2 control frames to break the max concurrent streams limit .io.grpc:grpc-netty-shaded:1.59.1io.grpc:grpc-netty-shaded:1.75.0Dependency Tree (Relevant Part)
Here's the relevant dependency path from our build:
Proposed Solution
Could the Spring AI team consider bumping the version of
io.milvus:milvus-sdk-javaor overriding thegrpc-netty-shadeddependency to version1.75.0or later in a future patch release? This would resolve the vulnerability for all downstream projects.Additional Context
1.1.82.5.8Thank you for your attention to this security matter.