From 5921eef20a3f13722d9273e3bd169088e8148033 Mon Sep 17 00:00:00 2001
From: pabloFuente <pablofuenteperez@gmail.com>
Date: Tue, 9 Dec 2025 12:43:55 +0100
Subject: [PATCH] openvidu-server: fix multiple CVEs in dependencies

- Jackson (CVE-2025-52999, PRISMA-2023-0067): upgraded `jackson-core` and `jackson-databind` from `2.14.0` to `2.19.2`
- Apache HttpClient (CVE-2020-13956): upgraded `httpclient` from `4.5.12` to `4.5.14`.
- Netty (CVE-2025-58057, CVE-2025-58056): upgraded `netty-codec-http` and `netty-codec-compression` from `4.2.4.Final` to `4.2.7.Final`.
---
 openvidu-server/pom.xml | 57 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/openvidu-server/pom.xml b/openvidu-server/pom.xml
index 7cb90dd96..7eaf370e2 100644
--- a/openvidu-server/pom.xml
+++ b/openvidu-server/pom.xml
@@ -212,6 +212,36 @@
 		</profile>
 	</profiles>
 
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>com.fasterxml.jackson.core</groupId>
+				<artifactId>jackson-core</artifactId>
+				<version>2.19.2</version>
+			</dependency>
+			<dependency>
+				<groupId>com.fasterxml.jackson.core</groupId>
+				<artifactId>jackson-databind</artifactId>
+				<version>2.19.2</version>
+			</dependency>
+			<dependency>
+				<groupId>org.apache.httpcomponents</groupId>
+				<artifactId>httpclient</artifactId>
+				<version>4.5.14</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec-http</artifactId>
+				<version>4.2.7.Final</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec-compression</artifactId>
+				<version>4.2.7.Final</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
 	<dependencies>
 		<dependency>
 			<groupId>org.kurento</groupId>
@@ -336,6 +366,33 @@
 			<version>${version.jackson-annotations}</version>
 		</dependency>
 
+		<!-- CVE Fixes -->
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+			<version>2.19.2</version>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>2.19.2</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+			<version>4.5.14</version>
+		</dependency>
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-codec-http</artifactId>
+			<version>4.2.7.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-codec-compression</artifactId>
+			<version>4.2.7.Final</version>
+		</dependency>
+
 
 		<!-- Test dependencies -->