Skip to content

Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.14#2267

Draft
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-xml-external-entities-vulnerability
Draft

Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.14#2267
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-xml-external-entities-vulnerability

Conversation

Copy link

Copilot AI commented Feb 2, 2026
edited
Loading

Pull Request

Thank you for contributing to swagger-parser!

Please fill out the following checklist to help us review your PR efficiently.

Description

Problem: Transitive dependency on Mozilla Rhino 1.7.7.2 exposes XXE vulnerability (BDSA-2018-5289) via toXml function.

Dependency chain:

swagger-compat-spec-parser:1.0.75 
  → json-schema-validator:2.2.14 
    → json-schema-core:1.2.14 
      → rhino:1.7.7.2 (vulnerable)

Solution: Override Rhino to 1.7.14 in parent dependencyManagement.

Why 1.7.14:

  • XXE vulnerability fixed in 1.7.13+
  • Latest version compatible with Java 8 (project requirement)
  • 1.7.15+ requires Java 11+
  • No known CVEs per GitHub advisory database

Change: Added single dependency management entry to force all transitive Rhino dependencies to 1.7.14.

Type of Change

  • 🐛 Bug fix
  • ✨ New feature
  • ♻️ Refactor (non-breaking change)
  • 🧪 Tests
  • 📝 Documentation
  • 🧹 Chore (build or tooling)

Checklist

  • I have added/updated tests as needed
  • I have added/updated documentation where applicable
  • The PR title is descriptive
  • The code builds and passes tests locally
  • I have linked related issues (if any)

Screenshots / Additional Context

Verified via dependency tree:

[INFO] \- org.mozilla:rhino:jar:1.7.14:compile

No code changes required - dependency override applies project-wide to all modules consuming the vulnerable transitive dependency.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 0.example.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire/surefirebooter-20260202105054810_6.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105054810_4tmp surefire_1-20260202105054810_5tmp (dns block)
  • 0.xn--p28h.local
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire/surefirebooter-20260202105054810_6.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105054810_4tmp surefire_1-20260202105054810_5tmp (dns block)
  • 999.999.999.999
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire/surefirebooter-20260202105054810_6.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105054810_4tmp surefire_1-20260202105054810_5tmp (dns block)
  • docs.oracle.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/swagger-parser/swagger-parser org.codehaus.plexus.classworlds.launcher.Launcher clean install -DskipTests (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/javadoc /usr/lib/jvm/temurin-17-jdk-amd64/bin/javadoc -J-Xmx1024m @options @packages (dns block)
  • example.co0
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire/surefirebooter-20260202105054810_6.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105054810_4tmp surefire_1-20260202105054810_5tmp (dns block)
  • example.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire/surefirebooter-20260202105054810_6.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-safe-url-resolver/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105054810_4tmp surefire_1-20260202105054810_5tmp (dns block)
  • jeremylong.github.io
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/swagger-parser/swagger-parser org.codehaus.plexus.classworlds.launcher.Launcher dependency-check:check -P security -Dformat=JSON -DskipTests (dns block)
  • nvd.nist.gov
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/swagger-parser/swagger-parser org.codehaus.plexus.classworlds.launcher.Launcher dependency-check:check -P security -Dformat=JSON -DskipTests (dns block)
  • petstore.swagger.io
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-v3/target/surefire/surefirebooter-20260202105100012_12.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-v3/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105100012_10tmp surefire_3-20260202105100012_11tmp (dns block)
  • petstore3.swagger.io
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jmockit/jmockit/1.49/jmockit-1.49.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf -jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-v3/target/surefire/surefirebooter-20260202105100012_12.jar /home/REDACTED/work/swagger-parser/swagger-parser/modules/swagger-parser-v3/target/surefire 2026-02-02T10-50-53_559-jvmRun1 surefire-20260202105100012_10tmp surefire_3-20260202105100012_11tmp (dns block)
  • www.cisa.gov
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/swagger-parser/swagger-parser org.codehaus.plexus.classworlds.launcher.Launcher dependency-check:check -P security -Dformat=JSON -DskipTests (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>BDSA-2018-5289 Mozilla Rhino - 1.7.7.2</issue_title>
<issue_description>Mozilla Rhino is vulnerable to XML external entities (XXE) due to an insecure XML parsing in the toXml function. Applications that use this function to accept untrusted input could be vulnerable to information disclosure and minor integrity and availability impacts due to the requests sent and local files accessed by the external entities in the crafted XML document.

Transitive dependency brought in by the following components:

maven: io.swagger.parser.v3:swagger-parser:2.1.22
maven: io.swagger.parser.v3:swagger-parser-v2-converter:2.1.22
maven: io.swagger:swagger-compat-spec-parser:1.0.70
maven: com.github.java-json-tools:json-schema-validator:2.2.14
maven: com.github.java-json-tools:json-schema-core:1.2.14
maven: org.mozilla:rhino:1.7.7.2

This library is not updated for more than 4 years and its full of vulnerabilities.
JSON Schema Core » 1.2.14
Rhino most updated version is 1.7.15 has no vulnerabilities known to this moment.
The issue clearly is the dependency on json-schema-validator:2.2.14 and json-schema-core:1.2.14
</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix XML external entities vulnerability in Mozilla Rhino Fix XXE vulnerability by upgrading transitive Rhino dependency to 1.7.14 Feb 2, 2026
Copilot AI requested a review from daniel-kmiecik February 2, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-kmiecik daniel-kmiecik Awaiting requested review from daniel-kmiecik

At least 1 approving review is required to merge this pull request.

Assignees

@daniel-kmiecik daniel-kmiecik

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BDSA-2018-5289 Mozilla Rhino - 1.7.7.2

2 participants

@daniel-kmiecik