Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Graph Studio and Graph Lakehouse releases.

Graph Studio Releases	Graph Lakehouse Releases
Graph Studio 2025.0 Engine v6.0	Graph Lakehouse 2025.0 Database v3.2.2 Graph Lakehouse 2025.0 Database v3.2.1 Graph Lakehouse 2025.0 Database v3.2.0 AnzoGraph 3.1.1 AnzoGraph 3.1.0

Altair Graph Studio Releases

Graph Studio 2025.0 Engine v6.0

Graph Lakehouse / AnzoGraph Releases

Graph Lakehouse 2025.0 Database v3.2.2

• CVE-2025-22870 : The golang net/http, x/net/proxy, and x/net/http/httpproxy package dependencies were updated to remediate this proxy bypass vulnerability.
• CVE-2025-27553 : The Apache Commons VFS dependency for GDI was updated to version 2.10.0 to remediate this Relative Path Traversal vulnerability.
• CVE-2025-22871 : The golang net/http package dependency for azg cli was updated to remediate this HTTP request smuggling vulnerability.
• CVE-2025-22872 : The golang x/net/html package dependency for azg cli was updated to remediate this vulnerability.
• CVE-2025-1948 : The Eclipse Jetty dependency was updated to remediate this vulnerability in the Jetty HTTP/2 server.

Graph Lakehouse 2025.0 Database v3.2.1

• CVE-2024-56171 and CVE-2025-24928: The libxml2 library dependency was upgraded to version 2.13.6 to remediate this "use-after-free" (UAF) vulnerability.
• CVE-2025-0665 and CVE-2025-0725: The libcurl library dependency was upgraded to version 8.12.0 to remediate this vulnerability.
• CVE-2025-24970: The Netty/Handler (io.netty:netty-handler) library dependency for GDI and the frontend user interface was updated to version 4.1.118.Final to remediate this vulnerability.
• CVE-2020-8908, CVE-2024-47535, CVE-2023-34462:The Databricks JDBC driver dependency was updated to version 2.7.1 to remediate these vulnerabilities in its third-party libraries. See https://docs.databricks.com/aws/en/release-notes/product/2025/january#databricks-jdbc-driver-271 for more details.

Graph Lakehouse 2025.0 Database v3.2.0

• GHSA-wjxj-5m7g-mg7q and CVE-2023-33202 : The Bouncy Castle for Java dependency was updated to remediate a potential Denial of Service (DoS) vulnerability within the Bouncy Castle org.bouncycastle.openssl.PEMParser class.
• CVE-2023-31147, CVE-2023-31130, CVE-2022-4904, and CVE-2023-31124: The c-ares library dependency was updated to remediate these vulnerabilities.
• GHSA-xqfj-vm6h-2x34, CVE-2021-35517, GHSA-mc84-pj99-q6hh, CVE-2021-36090, GHSA-crv7-7245-f45f, CVE-2021-35516, GHSA-7hfm-57qf-j43q, CVE-2021-35515, GHSA-4g9r-vxhx-9pgx, and CVE-2024-25710: The Apache Commons Compress package dependency was updated to remediate these potential Denial of Service (DoS) attack vulnerabilities.
• GHSA-8r3f-844c-mc37, CVE-2024-24786, GHSA-8r3f-844c-mc37, and CVE-2024-24786: The google.golang.org/protobuf module dependency was updated to remediate these vulnerabilities in the Golang protojson.Unmarshal function.
• GHSA-7g45-4rm6-3mm3, CVE-2023-2976, GHSA-5mg8-w23w-74h3, and CVE-2020-8908: The Google Guava dependency was updated to remediate these vulnerabilities.
• GHSA-58qw-p7qm-5rvh : The Eclipse Jetty dependency was updated to remediate this XML external entity (XXE) vulnerability in XmlParser.
• GHSA-vmq6-5m68-f53m and CVE-2023-6378 : The logback framework dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
• GHSA-668q-qrv7-99fm and CVE-2021-42550 : The logback framework dependency was updated to remediate a potential arbitrary code execution (ACE) vulnerability.
• GHSA-gvpg-vgmx-xg6w and CVE-2023-52428 : The Connect2id Nimbus JOSE+JWT dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
• CVE-2024-45338 : The golang.org/x/net html package dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
• CVE-2024-47535 : The Netty framework dependency for the frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
• CVE-2024-47875 : The DOMPurify dependency was upgraded to remediate this nesting-based Mutated Cross-site scripting (mXSS) vulnerability.
• CVE-2021-41033 : The Eclipse Equinox dependency was upgraded to remediate this man-in-the-middle attack vulnerability.

AnzoGraph 3.1.1

• CVE-2024-30172: The BC Java Cryptography API dependencies for the frontend user interface were updated to remediate this vulnerability.
• CVE-2024-21634: The BC Java, BC-FJA, and BC C# .Net library dependencies for the frontend user interface were updated to remediate this vulnerability.
• CVE-2024-29857: The ion-java dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.

AnzoGraph 3.1.0

• CVE-2023-32067: The c-ares dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.
• CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
• CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
• CVE-2022-46175: The JSON5 dependency for the frontend user interface was updated to remediate this vulnerability.
• CVE-2022-31129: The moment JavaScript library dependency for the frontend user interface was upgraded to remediate this vulnerability.
• CVE-2021-0341: The com.squareup.okhttp dependency for the frontend user interface was updated to remediate this possible improper certificate validation vulnerability.
• CVE-2020-21469: The PostgreSQL dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.
• GHSA-v78c-4p63-2j6c: The moment-timezone dependency for the frontend user interface was updated to remediate this vulnerability.
• GHSA-xpw8-rcwv-8f8p: The Netty dependency for the frontend user interface was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.
• The Eclipse Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:

  GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-2191, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.

• SONATYPE-2022-4402: The Postgres JDBC driver was updated to remediate this possible SQL injection vulnerability.
• SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.