Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Graph Studio and Graph Lakehouse releases.

Graph Studio Releases Graph Lakehouse Releases

Altair Graph Studio Releases

Graph Studio 2026.0.1 Engine v6.2.1

  • CVE-2025-30749, CVE-2025-50106, CVE-2025-50059: Updated Java Runtime to version 17.0.16 to address multiple high-severity vulnerabilities related to the Java SE 2D and Java SE Networking components.
  • CVE-2024-6763: Updated Jetty to version 12.0.12 to address a URI parsing vulnerability.
  • Updated the mina-core, netty, tika-core, grpc-netty-shaded, activemq, and janino libraries.
  • CVE-2025-53066: Updated OpenJDK to version 21.0.9 to address a JAXP vulnerability,

Graph Studio 2026.0 Engine v6.2

  • CVE-2024-47535: Fixed Netty DoS vulnerability affecting HTTP/2 communication in Graph Studio dependencies.
  • CVE-2024-6763: Resolved Eclipse Jetty URI parsing vulnerability that could affect invalid authority handling.
  • CVE-2025-48734: Fixed Apache Commons BeanUtils remote code execution vulnerability by upgrading to version 1.11.0.
  • CVE-2025-52999: Resolved Jackson Core vulnerabilities in both main Graph Studio and DU pipeline dependencies by upgrading to version 2.15.0.
  • CVE-2025-50059, CVE-2025-30749, CVE-2025-50106: Fixed multiple security vulnerabilities in OpenJDK components affecting 2D graphics and networking.
  • CVE-2025-55163: Resolved Netty HTTP/2 DDoS vulnerability (MadeYouReset attack) affecting codec-http2 components.

Graph Studio 2025.1 Engine v6.1

  • Fixes for Grapstudio Distributed Unstructured CVE-2025-48734: This addresses the need for a fix related to CVE-2025-48734 for Graph Studio Distributed Unstructured Users.
  • DOMPurify js library updated due to CVE: This updates DOMPurify JavaScript library due to a CVE.
  • Journal query performance regression: This fix addresses a regression in journal query performance.

Graph Studio 2025.0.1 Engine v6.0.1

  • CVE-2024-21235 (Medium Severity): Addresses multiple CVEs in openjdk and jetty components, enhancing core Java security.
  • Multiple High Severity CVEs in Unstructured Components: Resolves multiple high-severity CVEs in okio and openjdk, preventing unauthenticated network compromise and data manipulation.
  • CVE-2025-25193 (Medium Severity) in Netty: Fixes CVE-2025-25193 in netty-common, improving network communication integrity.
  • CVE-2025-1391 in Keycloak Services: Resolves CVE-2025-1391 in keycloak-services, strengthening SSO security.
  • CVE-2025-27553 (High Severity) in Commons VFS2: Patches high-severity CVE-2025-27553 in commons-vfs2, critical for secure pipeline data flows.
  • CVE-2024-13009 (High Severity) in Jetty Server: Fixes high-severity CVE-2024-13009 in jetty-server, preventing data corruption and sharing issues.
  • Keycloak CVE-2025-3501: Resolves Keycloak CVE-2025-3501, which allowed bypassing trust store verification. CVE-2019-9628 was a false positive.
  • Update to Latest Keycloak Libraries: Updates Keycloak libraries to version 26.1.5 to mitigate various CVEs and enhance authentication security.
  • Elasticsearch Update: Updates Elasticsearch to address CVE-2024-52981, securing search and indexing functions.
  • XSS Security Fix for Object Titles: Patches an XSS vulnerability that allowed malicious scripts in object titles, improving UI security.

Graph Studio 5.4.16

Graph Studio 5.4.16 addresses multiple security vulnerabilities to ensure the safety and integrity of your deployments. All security fixes have been verified through container image scanning.

  • CVE-2025-59419 - Netty Codec SMTP Vulnerability

    • Severity: High

    Fixed a high-severity vulnerability in the io.netty:netty-codec-smtp package by upgrading from version 4.1.118.Final to version 4.1.128.Final.

  • CVE-2025-53066 - OpenJDK JAXP Vulnerability

    • Severity: High

    Resolved a high-severity vulnerability in Oracle Java SE (component: JAXP) by upgrading OpenJDK from version 1.8.0_462 to version 1.8.0_472. This vulnerability allowed unauthenticated attackers with network access to compromise the system and gain unauthorized access to critical data.

    CVSS 3.1 Base Score: 7.5 (Confidentiality impacts)

    CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

  • CVE-2025-54988 - Apache Tika XXE Vulnerability

    • Severity: High

    Mitigated a high-severity Apache Tika XXE (XML External Entity) vulnerability via crafted XFA files inside PDFs. The fix involved removing the Apache Tika dependency where possible and upgrading tika-parsers from version 1.28.4/1.28.5 to version 2.0.0-ALPHA where required.

  • CVE-2025-66516 - Apache Tika XXE Vulnerability

    • Severity: Critical

    Addressed a critical Apache Tika XXE vulnerability by upgrading to tika-core version 2.9.5-SNAPSHOT, which contains the security fixes from the released version 3.2.2. This custom build was created from the Apache Tika GitHub repository branch 2x, which includes the commit that fixes the CVE.

    Note: The tika-core 2.9.5-SNAPSHOT version is not a released version but contains the fix that was released in version 3.2.2.

  • CVE-2025-6021 - OpenJDK libxml2 Vulnerability

    • Severity: High

    Fixed a high-severity vulnerability in libxml2's xmlBuildQName function where integer overflows in buffer size calculations could lead to stack-based buffer overflow, resulting in memory corruption or denial of service. This was resolved by upgrading OpenJDK from version 1.8.0_472 to version 1.8.0_482.

    Multiple OpenJDK Vulnerabilities

    Severity: Critical

    Addressed multiple high-severity OpenJDK vulnerabilities by upgrading to version 1.8.0_482:

    All vulnerabilities have been verified as fixed in the latest container image scans.

Graph Studio 5.4.15

Upgraded the DOMPurify library from version 2.5.8 to 3.2.7 to address security scan findings and maintain compliance with current security standards. The updated library is used in toast messages and navigation display components.

Graph Studio 5.4.14

  • CVE-2025-48976: Upgraded commons-fileupload from version 1.5 to 1.6.0 to address high-severity security vulnerability in pipeline service.
  • CVE-2025-53864, CVE-2025-4879: Upgraded com.nimbusds:nimbus-jose-jwt from version 9.37.2 to 10.0.2 and org.apache.cxf:cxf-core from version 3.5.10 to 3.5.11+ to address medium-severity vulnerabilities.
  • CVE-2024-13009: Upgraded org.eclipse.jetty:jetty-server from version 9.4.56.v20240826 to 9.4.57.v20241219 to address high-severity security vulnerability.
  • Additional security vulnerability fixes: Resolved multiple security vulnerabilities in various dependencies to improve overall system security.

Graph Studio 5.4.9

  • CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
  • CVE-2024-47561: The Apache Avro Java SDK dependency was upgraded to remediate this vulnerability.
  • CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2020-2801, CVE-2023-41993:The Oracle JDK dependency was replaced with OpenJDK version 1.8 to remediate these vulnerabilities.

Graph Studio 5.4.8

  • GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 package dependency was upgraded to remediate a potential DDoS attack vulnerability.
  • CVE-2020-11971: The Apache Camel's JMX dependency was upgraded to remediate this Rebind Flaw vulnerability.
  • CVE-2024-21634: The ion-java dependency for Graph Lakehouse DB was updated to remediate this Oracle JDK vulnerability.

Graph Studio 5.4.7

  • CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
  • CVE-2024-2961: The glibc library dependency was updated to remediate this vulnerability.

Graph Studio 5.4.6

  • CVE-2018-1320: The Apache Thrift Java client library dependency was updated to remediate this vulnerability.
  • CVE-2023-6378: The logback receiver component of the logback dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2023-34054 and CVE-2023-34062: The Reactor Netty HTTP Server dependency was updated to remediate these vulnerabilities.
  • CVE-2023-33202: The Bouncy Castle for Java dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2023-46673: The Elasticsearch dependency was updated as it was identified that malformed scripts used in the script processor of a pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
  • GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 dependency for Graph Studio Distributed Unstructured was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.

Graph Studio 5.4.5

  • CVE-2023-46604: The Apache ActiveMQ dependency was updated to remediate this possible remote code execution vulnerability.
  • CVE-2023-39410: The Apache Avro dependency for Graph Studio Unstructured was updated to remediate this possible out of memory vulnerability.
  • CVE-2023-41900, CVE-2023-36479, and CVE-2023-40167: The Eclipse Jetty dependency was updated to remediate these vulnerabilities.
  • CVE-2022-44729 and CVE-2022-44730: The Apache XML Graphics Batik dependency was updated to remediate these possible Server-Side Request Forgery (SSRF) vulnerabilities.
  • CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.

Graph Studio 5.4.2

  • CVE-2023-24998: The Apache Commons FileUpload dependency for Graph Studio Unstructured was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2022-1471: Modified the SnakeYaml dependency for Graph Studio Unstructured to use the SafeConstructor when parsing content.
  • CVE-2023-1370: The json-smart dependency was updated to remediate a possible stack overflow vulnerability.
  • CVE-2023-1436: The Jettison dependency was updated to remediate this possible StackOverflowError vulnerability.
  • CVE-2023-26048, CVE-2023-26049: The Jetty dependency was updated to remediate these vulnerabilities.

Graph Studio 5.4.1

  • ​CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
  • CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
  • CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
  • SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.
  • CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
  • CVE-2022-38900: The decode-uri-component dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.

Graph Lakehouse / AnzoGraph Releases

Graph Lakehouse 2026.0 Database v3.3.1

  • CVE-2025-68121, CVE-2025-61726, CVE-2025-681728, and CVE-2025-61730: The Go standard library was updated to mitigate critical security vulnerabilities including DoS attacks, memory exhaustion, and unauthorized session resumption.
  • CVE-2025-55163: The Netty library dependency for the front-end user interface was updated to remediate a potential HTTP/2 MadeYouReset Distributed DoS vulnerability.
  • CVE-2025-9086: curl has been updated to correct a bug in its path comparison logic that can cause an out-of-bounds read or allow an insecure HTTP response to override a secure cookie set over HTTPS when the same cookie name and a path of “/” are used.
  • CVE-2025-12383: Eclipse Jersey was updated to remediate a potential security vulnerability.
  • CVE-2025-58057: netty-codec was updated to remediate a potential DoS vulnerability via zip bomb-style attack.
  • CVE-2025-58056: netty-codec was updated to remediate a request smuggling dependency owing to the incorrect parsing of chunk extensions.
  • CVE-2025-59250: The JDBC driver for SQL server was updated to prevent unauthorized attackers from spoofing over a network.
  • CVE-2025-27821: The Apache Hadoop package was updated to mediate a potential out-of-bounds write vulnerability.

Graph Lakehouse 2026.0 Database v3.3.0

  • CVE-2025-46762: The org.apache.parquet dependency was updated to remediate this vulnerability.
  • CVE-2025-55163: The Netty library dependency for the front-end user interface was updated to remediate a potential HTTP/2 MadeYouReset Distributed DoS vulnerability.
  • CVE-2024-45338: The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2025-52999: The jackson-core dependency was updated to remediate this potential Denial of Service (DoS) vulnerability.

  • CVE-2025-32989, CVE-2025-32990, CVE-2025-32988, CVE-2025-6395: The GnuTLS library was updated to remediate various potential vulnerabilities related to this dependency.

Graph Lakehouse 2025.0 Database v3.2.2

  • CVE-2025-22870 : The golang net/http, x/net/proxy, and x/net/http/httpproxy package dependencies were updated to remediate this proxy bypass vulnerability.
  • CVE-2025-27553 : The Apache Commons VFS dependency for GDI was updated to version 2.10.0 to remediate this Relative Path Traversal vulnerability.
  • CVE-2025-22871 : The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
  • CVE-2025-22872 : The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
  • CVE-2025-1948 : The Eclipse Jetty dependency was updated to remediate this vulnerability in the Jetty HTTP/2 server.

Graph Lakehouse 2025.0 Database v3.2.1

Graph Lakehouse 2025.0 Database v3.2.0

Graph Lakehouse 3.1.9

  • GHSA-72hv-8253-57qq: The jackson-core dependency was updated to remediate this potential Denial of Service (DoS) vulnerability.
  • CVE-2026-29000: The pac4j-jwt package was updated to address an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens.
  • CVE-2026-25646: The libpng library was updated to remediate this potential out-of-bounds read vulnerability.
  • CVE-2026-1605: Eclipse Jersey was updated to remediate this potential security vulnerability.
  • CVE-2025-58057: netty-codec was updated to remediate a potential DoS vulnerability via zip bomb-style attack.
  • CVE-2025-58056: netty-codec was updated to remediate a request smuggling dependency owing to the incorrect parsing of chunk extensions.
  • CVE-2025-55163: The Netty library dependency for the front-end user interface was updated to remediate a potential HTTP/2 MadeYouReset Distributed DoS vulnerability.
  • CVE-2025-54988: The Apache Tika package was updated to remediate this potential security vulnerability.
  • CVE-2025-12383: Eclipse Jersey was updated to remediate a potential security vulnerability.
  • CVE-2025-9086: curl has been updated to correct a bug in its path comparison logic that can cause an out-of-bounds read or allow an insecure HTTP response to override a secure cookie set over HTTPS when the same cookie name and a path of “/” are used.

Graph Lakehouse 3.1.8

  • CVE-2024-45336: The golang net/http package dependency was updated to remediate this vulnerability.
  • CVE-2024-45341: The golang crypto/x509 package dependency was updated to remediate this vulnerability.
  • CVE-2025-22870: The golang net/http, x/net/proxy, and x/net/http/httpproxy package dependencies were updated to remediate this proxy bypass vulnerability.
  • CVE-2025-22871: The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
  • CVE-2025-22872: The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
  • CVE-2025-27553: The Apache Commons VFS dependency for GDI was updated to version 2.10.0 to remediate this Relative Path Traversal vulnerability.
  • CVE-2025-48734: The Apache commons dependency was updated to remediate this potential Improper Access Control vulnerability.
  • CVE-2025-52999: The jackson-core dependency was updated to remediate this potential Denial of Service (DoS) vulnerability.
  • CVE-2025-47907: The golang database/sql package dependency was updated to remediate vulnerability.
  • CVE-2025-4674: The golang package was updated to remediate issues related to unexpected code execution.
  • CVE-2025-55163: The Netty library dependency for the front-end user interface was updated to remediate a potential HTTP/2 MadeYouReset Distributed DoS vulnerability.
  • CVE-2025-5115: The Eclipse Jetty dependency for the frontend user interface was updated to remediate a potential HTTP/2 MadeYouReset DoS vulnerability.

Graph Lakehouse 3.1.7

Graph Lakehouse 3.1.6

  • GHSA-58qw-p7qm-5rvh: The Eclipse Jetty dependency was updated to remediate this XML external entity (XXE) vulnerability in the jetty XmlParser.
  • CVE-2024-43382: The Snowflake JDBC driver dependency was updated to remediate this incorrect security setting vulnerability.
  • GHSA-w32m-9786-jp63, CVE-2024-45338: The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.

Graph Lakehouse 3.1.5

  • CVE-2024-47554: The Apache Commons IO dependency of the Neptune extension library of Graph Lakehouse DB was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2024-48910: The DOMPurify dependency was upgraded to version 2.4.2 to remediate this Prototype Pollution vulnerability.

Graph Lakehouse 3.1.4

  • CVE-2024-34156: The encoding/gob package dependency was updated to remediate this stack exhaustion vulnerability (Go upgraded to version 1.23.1).
  • CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
  • CVE-2024-45801: The DOMPurify dependency was upgraded to remediate this XSS attack vulnerability.
  • CVE-2024-43591: The Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability was remediated.
  • CVE-2024-2398: The libcurl dependency was upgraded from version 8.1.2 to 8.10.1 to further remediate this HTTP/2 push headers memory-leak vulnerability.
  • CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2024-8184: The Eclipse jetty dependency was updated to version 12.0.12 to remediate a potential remote Denial of Service (DoS) attack vulnerability.

Graph Lakehouse 3.1.3

  • CVE-2024-2398: The libcurl dependency was updated to remediate this HTTP/2 push headers memory-leak vulnerability.
  • CVE-2024-6345: The pypa/setuptools dependency was upgraded to remediate this vulnerability.

Graph Lakehouse 3.1.2

  • CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).
  • CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
  • CVE-2023-6597: The CPython dependency for the frontend user interface was updated to remediate this tempfile.TemporaryDirectory class vulnerability.
  • CVE-2023-52424: A dependency for the frontend user interface was updated to remediate the SSID Confusion Attack vulnerability.
  • CVE-2024-24788: A golang dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).

Graph Lakehouse 3.1.1

  • CVE-2024-30172: The BC Java Cryptography API dependencies for the frontend user interface were updated to remediate this vulnerability.
  • CVE-2024-21634: The BC Java, BC-FJA, and BC C# .Net library dependencies for the frontend user interface were updated to remediate this vulnerability.
  • CVE-2024-29857: The ion-java dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.

Graph Lakehouse 3.1.0

Graph Lakehouse 3.0.0

  • CVE-2023-32067: The c-ares dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
  • CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
  • CVE-2022-2191: The Eclipse Jetty dependency for the frontend user interface was updated to version 11.0.14 to remediate this vulnerability.
  • CVE-2022-46175: The JSON5 dependency for the frontend user interface was updated to remediate this vulnerability.
  • CVE-2022-31129: The moment JavaScript library dependency for the frontend user interface was upgraded to remediate this vulnerability.
  • CVE-2021-0341: The com.squareup.okhttp dependency for the frontend user interface was updated to remediate this possible improper certificate validation vulnerability.
  • GHSA-v78c-4p63-2j6c: The moment-timezone dependency for the frontend user interface was updated to remediate this vulnerability.
  • SONATYPE-2022-4402: The Postgres JDBC driver was updated to remediate this possible SQL injection vulnerability.
  • SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.

AnzoGraph 2.5.23

  • CVE-2025-52999: The jackson-core dependency was updated to remediate a potential Denial-of-Service vulnerability.
  • CVE-2025-24970, CVE-2024-29025, CVE-2025-25193, CVE-2024-47535, CVE-2023-34462: The Netty library dependency for GDI and the front-end user interface was updated to remediate this vulnerability.
  • CVE-2024-45338: The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2020-13956: The org.apache.httpcomponents package dependency was updated to remediate this vulnerability.
  • SONATYPE-2012-0050: The Apache commons-codec package was updated to remediate this vulnerability.
  • CVE-2023-35116: The jackson-databind dependency was updated to remediate this vulnerability.
  • CVE-2024-43382: The Snowflake JDBC driver was updated to remediate this security setting vulnerability.
  • CVE-2024-48910, CVE-2024-45801: The DOMPurify JavaScript library was updated to remediate this vulnerability, preventing security bypasses and unauthorized modifications of application behavior.
  • CVE-2024-43591: The Azure CLI and Azure Service Connector was updated to remediate this Azure Command Line Integration (CLI) Elevation of Privilege vulnerability.
  • CVE-2024-47554: The Apache Commons IO dependency was updated to address this potential Denial of Service (DoS) vulnerability.
  • CVE-2024-8184: The Eclipse Jetty dependency for the frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2024-34156: The encoding/gob package of the Golang standard library was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2024-7254: The protobuf dependency for the frontend user interface was updated to address this potential Denial of Service (DoS) vulnerability.
  • CVE-2019-5827, CVE-2014-3566: The nss, nss-tools, sqlite, and nss-sysinit libraries were updated to remediate these vulnerabilities.
  • CVE-2025-22871: The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
  • CVE-2025-22872: The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.

  • CVE-2025-27553: The Apache Commons VFS dependency was updated to remediate this Relative Path Traversal vulnerability.

  • CVE-2025-0665, CVE-2025-0725, CVE-2024-2398: The libcurl library dependency was upgraded to version 8.12.0 to remediate this vulnerability.

  • CVE-2023-2976, CVE-2020-8908: The Google Guava library dependency was updated to remediate these vulnerabilities.