Vulnerability CVE-2025-59432 for com.ongres.scram.common:2.1

[steidos]

Hi all,
I'm analysing how to solve the vulnerability CVE-2025-59432 that is affecting the com.ongres.scram.common:2.1 library.
This is a transitive dependency from the quarkus-reactive-pg-client:

\- io.quarkus:quarkus-reactive-pg-client:jar:3.27.0:compile
  \- com.ongres.scram:client:jar:2.1:compile
     \- com.ongres.scram:common:jar:2.1:compile

To fix the security issue, the suggestion is to move to the scram-client and scram-common libraries and upgrade to version com.ongres.scram:scram-common:3.2,https://github.com/ongres/scram.git - 3.2.

Is it compatible with the quarkus-reactive-pg-client at version 3.27.0? Is there any plan to upgrade the dependency?

Thanks in advance

[sberyozkin]

@yrodiere Can you please have a look or ask someone else who is looking after reactive pg client to evalute such an update ?

[yrodiere]

The way I read https://github.com/quarkusio/quarkus/security/policy , we should not be discussing this here.

But anyway, I will ping the right people.

[steidos]

I'm sorry, I'll be more careful next time. Thank you