Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Graph Studio and Graph Lakehouse releases.

Graph Studio Releases	Graph Lakehouse Releases
Graph Studio 2025.1 Engine v6.1 Graph Studio 2025.0.1 Engine v6.0.1	Graph Lakehouse 2025.0 Database v3.2.2 Graph Lakehouse 2025.0 Database v3.2.1 Graph Lakehouse 2025.0 Database v3.2.0 AnzoGraph 3.1.8 AnzoGraph 3.1.1 AnzoGraph 3.1.0 AnzoGraph 2.5.23

Altair Graph Studio Releases

Graph Studio 2025.1 Engine v6.1

Fixes for Grapstudio Distributed Unstructured CVE-2025-48734: This addresses the need for a fix related to CVE-2025-48734 for Graph Studio Distributed Unstructured Users.
DOMPurify js library updated due to CVE: This updates DOMPurify JavaScript library due to a CVE.
Journal query performance regression: This fix addresses a regression in journal query performance.

Graph Studio 2025.0.1 Engine v6.0.1

CVE-2024-21235 (Medium Severity): Addresses multiple CVEs in openjdk and jetty components, enhancing core Java security.
Multiple High Severity CVEs in Unstructured Components: Resolves multiple high-severity CVEs in okio and openjdk, preventing unauthenticated network compromise and data manipulation.
CVE-2025-25193 (Medium Severity) in Netty: Fixes CVE-2025-25193 in netty-common, improving network communication integrity.
CVE-2025-1391 in Keycloak Services: Resolves CVE-2025-1391 in keycloak-services, strengthening SSO security.
CVE-2025-27553 (High Severity) in Commons VFS2: Patches high-severity CVE-2025-27553 in commons-vfs2, critical for secure pipeline data flows.
CVE-2024-13009 (High Severity) in Jetty Server: Fixes high-severity CVE-2024-13009 in jetty-server, preventing data corruption and sharing issues.
Keycloak CVE-2025-3501: Resolves Keycloak CVE-2025-3501, which allowed bypassing trust store verification. CVE-2019-9628 was a false positive.
Update to Latest Keycloak Libraries: Updates Keycloak libraries to version 26.1.5 to mitigate various CVEs and enhance authentication security.
Elasticsearch Update: Updates Elasticsearch to address CVE-2024-52981, securing search and indexing functions.
XSS Security Fix for Object Titles: Patches an XSS vulnerability that allowed malicious scripts in object titles, improving UI security.

Graph Lakehouse / AnzoGraph Releases

Graph Lakehouse 2025.0 Database v3.2.2

CVE-2025-22870 : The golang net/http, x/net/proxy, and x/net/http/httpproxy package dependencies were updated to remediate this proxy bypass vulnerability.
CVE-2025-27553 : The Apache Commons VFS dependency for GDI was updated to version 2.10.0 to remediate this Relative Path Traversal vulnerability.
CVE-2025-22871 : The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
CVE-2025-22872 : The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
CVE-2025-1948 : The Eclipse Jetty dependency was updated to remediate this vulnerability in the Jetty HTTP/2 server.

Graph Lakehouse 2025.0 Database v3.2.1

CVE-2024-56171 and CVE-2025-24928: The libxml2 library dependency was upgraded to version 2.13.6 to remediate this "use-after-free" (UAF) vulnerability.
CVE-2025-0665 and CVE-2025-0725: The libcurl library dependency was upgraded to version 8.12.0 to remediate this vulnerability.
CVE-2025-24970: The Netty/Handler (io.netty:netty-handler) library dependency for GDI and the frontend user interface was updated to version 4.1.118.Final to remediate this vulnerability.
CVE-2020-8908, CVE-2024-47535, CVE-2023-34462:The Databricks JDBC driver dependency was updated to version 2.7.1 to remediate these vulnerabilities in its third-party libraries. See https://docs.databricks.com/aws/en/release-notes/product/2025/january#databricks-jdbc-driver-271 for more details.

Graph Lakehouse 2025.0 Database v3.2.0

GHSA-wjxj-5m7g-mg7q and CVE-2023-33202 : The Bouncy Castle for Java dependency was updated to remediate a potential Denial of Service (DoS) vulnerability within the Bouncy Castle org.bouncycastle.openssl.PEMParser class.
CVE-2023-31147, CVE-2023-31130, CVE-2022-4904, and CVE-2023-31124: The c-ares library dependency was updated to remediate these vulnerabilities.
GHSA-xqfj-vm6h-2x34, CVE-2021-35517, GHSA-mc84-pj99-q6hh, CVE-2021-36090, GHSA-crv7-7245-f45f, CVE-2021-35516, GHSA-7hfm-57qf-j43q, CVE-2021-35515, GHSA-4g9r-vxhx-9pgx, and CVE-2024-25710: The Apache Commons Compress package dependency was updated to remediate these potential Denial of Service (DoS) attack vulnerabilities.
GHSA-8r3f-844c-mc37, CVE-2024-24786, GHSA-8r3f-844c-mc37, and CVE-2024-24786: The google.golang.org/protobuf module dependency was updated to remediate these vulnerabilities in the Golang protojson.Unmarshal function.
GHSA-7g45-4rm6-3mm3, CVE-2023-2976, GHSA-5mg8-w23w-74h3, and CVE-2020-8908: The Google Guava dependency was updated to remediate these vulnerabilities.
GHSA-58qw-p7qm-5rvh : The Eclipse Jetty dependency was updated to remediate this XML external entity (XXE) vulnerability in XmlParser.
GHSA-vmq6-5m68-f53m and CVE-2023-6378 : The logback framework dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
GHSA-668q-qrv7-99fm and CVE-2021-42550 : The logback framework dependency was updated to remediate a potential arbitrary code execution (ACE) vulnerability.
GHSA-gvpg-vgmx-xg6w and CVE-2023-52428 : The Connect2id Nimbus JOSE+JWT dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2024-45338 : The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2024-47535 : The Netty framework dependency for the frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2024-47875 : The DOMPurify dependency was upgraded to remediate this nesting-based Mutated Cross-site scripting (mXSS) vulnerability.
CVE-2021-41033 : The Eclipse Equinox dependency was upgraded to remediate this man-in-the-middle attack vulnerability.

AnzoGraph 3.1.8

CVE-2024-45336: The golang net/http package dependency was updated to remediate this vulnerability.
CVE-2024-45341: The golang crypto/x509 package dependency was updated to remediate this vulnerability.
CVE-2025-22870: The golang net/http, x/net/proxy, and x/net/http/httpproxy package dependencies were updated to remediate this proxy bypass vulnerability.
CVE-2025-22871: The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
CVE-2025-22872: The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
CVE-2025-27553: The Apache Commons VFS dependency for GDI was updated to version 2.10.0 to remediate this Relative Path Traversal vulnerability.
CVE-2025-48734: The Apache commons dependency was updated to remediate this potential Improper Access Control vulnerability.
CVE-2025-52999: The jackson-core dependency was updated to remediate this potential Denial of Service (DoS) vulnerability.

AnzoGraph 3.1.1

CVE-2024-30172: The BC Java Cryptography API dependencies for the frontend user interface were updated to remediate this vulnerability.
CVE-2024-21634: The BC Java, BC-FJA, and BC C# .Net library dependencies for the frontend user interface were updated to remediate this vulnerability.
CVE-2024-29857: The ion-java dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.

AnzoGraph 3.1.0

CVE-2023-32067: The c-ares dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
CVE-2022-46175: The JSON5 dependency for the frontend user interface was updated to remediate this vulnerability.
CVE-2022-31129: The moment JavaScript library dependency for the frontend user interface was upgraded to remediate this vulnerability.
CVE-2021-0341: The com.squareup.okhttp dependency for the frontend user interface was updated to remediate this possible improper certificate validation vulnerability.
CVE-2020-21469: The PostgreSQL dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.
GHSA-v78c-4p63-2j6c: The moment-timezone dependency for the frontend user interface was updated to remediate this vulnerability.
GHSA-xpw8-rcwv-8f8p: The Netty dependency for the frontend user interface was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.
The Eclipse Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:
GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-2191, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.
SONATYPE-2022-4402: The Postgres JDBC driver was updated to remediate this possible SQL injection vulnerability.
SONATYPE-2022-6438: The jackson-core and jackson-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.

AnzoGraph 2.5.23

CVE-2025-52999: The jackson-core dependency was updated to remediate a potential Denial-of-Service vulnerability.
CVE-2025-24970, CVE-2024-29025, CVE-2025-25193, CVE-2024-47535, CVE-2023-34462: The Netty library dependency for GDI and the front-end user interface was updated to remediate this vulnerability.
CVE-2024-45338: The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2020-13956: The org.apache.httpcomponents package dependency was updated to remediate this vulnerability.
SONATYPE-2012-0050: The Apache commons-codec package was updated to remediate this vulnerability.
CVE-2023-35116: The jackson-databind dependency was updated to remediate this vulnerability.
CVE-2024-43382: The Snowflake JDBC driver was updated to remediate this security setting vulnerability.
CVE-2024-48910, CVE-2024-45801: The DOMPurify JavaScript library was updated to remediate this vulnerability, preventing security bypasses and unauthorized modifications of application behavior.
CVE-2024-43591: The Azure CLI and Azure Service Connector was updated to remediate this Azure Command Line Integration (CLI) Elevation of Privilege vulnerability.
CVE-2024-47554: The Apache Commons IO dependency was updated to address this potential Denial of Service (DoS) vulnerability.
CVE-2024-8184: The Eclipse Jetty dependency for the frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2024-34156: The encoding/gob package of the Golang standard library was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2024-7254: The protobuf dependency for the frontend user interface was updated to address this potential Denial of Service (DoS) vulnerability.
CVE-2019-5827, CVE-2014-3566: The nss, nss-tools, sqlite, and nss-sysinit libraries were updated to remediate these vulnerabilities.
CVE-2025-22871: The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
CVE-2025-22872: The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
CVE-2025-27553: The Apache Commons VFS dependency was updated to remediate this Relative Path Traversal vulnerability.
CVE-2025-0665, CVE-2025-0725, CVE-2024-2398: The libcurl library dependency was upgraded to version 8.12.0 to remediate this vulnerability.
CVE-2023-2976, CVE-2020-8908: The Google Guava library dependency was updated to remediate these vulnerabilities.