Fix plexus-utils CVE-2025-67030 suppression by Jenson3210 · Pull Request #1144 · openrewrite/rewrite-maven-plugin (original) (raw)

Skip to content

Navigation Menu

• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Conversation

Jenson3210 commented

Apr 16, 2026

•

edited by moderne-meeseeksBot

Loading

Summary

• Fix the existing suppression for CVE-2025-67030 (plexus-utils directory traversal)
• Changed <vulnerabilityName> to <cve> — NVD-sourced vulnerabilities require the <cve> element to be matched by the OWASP dependency-check plugin
• The suppression was already in place but wasn't being applied because of this mismatch

plexus-utils 3.6.1 is the patched version (advisory says < 3.6.1 is vulnerable), but the GHSA database hasn't updated the range yet, so the scanner still flags it.

• Refs https://github.com/moderneinc/dependency-vulnerability-reports/issues/1044

Test plan

• Verify dependency-check-maven:check no longer reports CVE-2025-67030 for plexus-utils 3.6.1

mergify Bot added a commit to robfrank/linklift that referenced this pull request

May 3, 2026

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

1 participant