We are using core-io:3.8.3 in our Spring Boot 3.4.5 application. Our CI/CD pipeline has flagged a high-severity vulnerability (CVE-2024-7254 / BDSA-2024-6519) due to the inclusion of protobuf-java:3.25.5 inside the shaded package of core-io.
This vulnerability, updated on July 30, 2025, describes a potential Denial of Service via unbounded recursion when parsing nested SGROUP tags in Protocol Buffers.
Although we explicitly use protobuf-java:3.25.8 in our project, the shaded version inside core-io is still detected by our security scanners (e.g., Fortify), and blocks our pipeline.
Could you please consider updating the protobuf-java dependency to a patched version (e.g., 3.25.8 or later) in a future release of core-io?
Thank you for your support and for maintaining such a great product.
Release 3.9.0 is scheduled for today. If it is not already in 3.9.0, I’ll make sure it is in 3.9.1 scheduled for the first Tuesday in September.
FYI - the Couchbase Java SDK only uses protobuf for couchbase2:// (Cloud Native Gateway)..
Ok. But that isn’t referenced by couchbase. protobuf-java 4.29.2 is referenced by couchase protostellar module, which is referenced by core-io-deps which is referenced by core-io. Maybe if you posted how your pipeline has flagged it, I would understand better.
Our blackduck report for 3.8.2 shows protobuf-java 4.29.2
@XhoiK do note that’s a <scope>compile</scope> dependency, e.g. it is only pulled in at the point of compiling the SDK, in which case I do not believe the CVE would apply. I wonder if it’s pulled in by the Maven plugin that we use to compile protobuf code with (we are on the latest version of this).
As Mike says - at runtime we use 4.29.2, plus you will not be using protobuf & GRPC at all if you are using the regular couchbase[s]:// protocol.
All of which is to say - I do not believe there to be a real security concern here, certainly at first look, and it looks like a false positive from the security scanner because it is poking around at low-level build implementation details that do not affect runtime security. You can upgrade safely.
But regardless, we will look at what is possible to make the scanner happy, as a lower priority item.
So, it seems that is a false positive and I can add a comment in my fortify scanner page specifying that.
If you need also my blackduck scanner page I can share it, if it helps you to understand even better from when the vulnerability comes out.
In short the vulnerable path that is reported from my blackduck is this:
WEB-INF/lib/core-io-3.8.3.jar → com/couchbase/client/core/deps/com/google/protobuf
@XhoiK it is somewhat confusing, since we use Blackduck ourselves as part of our security reviews, and as Mike shows in the screenshot it is picking up the correct runtime dependency for core-io of protobuf-java 4.29.2.
Maybe if you could indeed share that screenshot it would help us understand where the false positive is coming from.
mvn dependency:tree of core-io-deps (which has the dependencies that get shadowed) shows
com.google.protobuf:protobuf-java:jar:4.29.2:compile as a direct dependency of com.couchbase.client:protostellar (couchbase2[s]//: support), but does not show proto-google-common-protos as a dependency of that.
It does show com.google.api.grpc:proto-google-common-protos:jar:2.48.0:compile as a dependency of io.grpc:grpc-api:jar:1.69.0:compile which is a dependency of io.grpc:grpc-protobuf:jar:1.69.0:compile which is a dependency of com.couchbase.client:protostellar. but does not show protobuf-java as a dependency of proto-google-common-protos - I presume because it already has that from com.google.protobuf:protobuf-java:jar:4.29.2:compile)
Unfortunately, I cannot upload images here. But let me try to summarize its content.
I upgraded to the 3.9.0 version and the blackduck scan reports that inside myfolder/my-app.war there the jar WEB-INF/lib/core-io-3.9.0.jar that contains an outdated version of protobuf (3.25.5) inside the directory:
Indeed, if I search in my solution for protobuf-java I can find this dependency: <dependencies> <dependency> <groupId>com.google.protobuf</groupId> <artifactId>protobuf-java</artifactId> <version>3.25.5</version> <scope>compile</scope> <optional>false</optional> </dependency> </dependencies>
that contains an outdated version of protobuf (3.25.5) inside the directory: com/couchbase/client/core/deps/com/google/protobuf
As near as I can figure - those classes are from 4.29.2
I wish I had something more convincing, but if you fetch the actual jars and inspect the classes, you’ll see that the ones from core-io match those from 4.29.2 (they are not exactly the same size due to being repackaged), but the dates match.
