Liquibase Secure 5.0.3 release notes
Liquibase Secure 5.0.3 is a maintenance release focused on dependency updates. This release has no impact on Liquibase Community.
What's Included IMPORTANT
This release contains multiple CVE updates for Apache Tomcat, Spring Framework Components, and select Python HTTP Client Libraries. See the full list of CVE fixes, potential customer impacts, and exploitability in the Detailed Security Vulnerability Report below.
Your scanner may flag CVEs from third-party libraries included in older Liquibase versions. Engineering has confirmed these issues are not exploitable in Liquibase based on how the libraries are used. Liquibase Secure 5.0.3 updates these dependencies to remove the scanner findings. If your internal policies require clearing the alerts, we recommend upgrading. We’re here to help if you’d like support validating impact or completing the update.
Changelog
DAT-21261 - Updated Apache Tomcat to address multiple CVEs, including CVE-2025-24813 (CRITICAL), CVE-2025-55752 (HIGH), and others. No customer impact - vulnerable features not enabled in Liquibase. https://github.com/liquibase/liquibase-license-utility/pull/49
DAT-21261 - Updated Spring Framework components to address CVE-2025-22235, CVE-2025-41249, and CVE-2025-49146. No customer impact - vulnerable features not used. https://github.com/liquibase/liquibase-license-utility/pull/49
DAT-21261 - Updated Python dependencies in liquibase-checks: CVE-2018-20225, CVE-2025-47273, CVE-2024-6345, urllib3 to address CVE-2023-43804 and CVE-2023-45803, sqlparse to address CVE-2023-30608 and CVE-2024-4340. Only affects users writing custom Python checks. https://github.com/liquibase/liquibase-checks/pull/321
DAT-21261 - Updated Google Cloud dependencies in liquibase-commercial-bigquery to address GHSA-prj3-ccx8-p6x4 https://github.com/liquibase/liquibase-commercial-bigquery/pull/194
Detailed Security Vulnerability Report - Liquibase Secure v5.0.3
CVEs Summary
Critical Issues: 1 (tomcat-embed-core CVE-2025-24813) High Severity: 8 Medium Severity: 7 Low Severity: 4+ Won't fix Issues: 1
Apache Tomcat: tomcat-embed-core
CVE ID | Security Score | Library and Impact Assessment |
CVS 9.8 Critical | Description: Path Equivalence vulnerability leading to Remote Code Execution and/or information disclosure and/or malicious content injection via write-enabled Default Servlet Attack Vector: Network-based, low complexity, no authentication required Impact: Complete system compromise - confidentiality, integrity, and availability Weakness: CWE-44 (Path Equivalence) KEV Status: Yes (Known Exploited Vulnerability) Exploitability: An attacker can manipulate request URIs to bypass security constraints for /WEB-INF/ and /META-INF/ directories. If PUT requests are enabled, malicious files can be uploaded, leading to RCE via deserialization attacks. Available Patched Versions: 10.1.35, 11.0.3, 9.0.99 Required Action: Upgrade to version 10.1.35 or later Customer impact: None. We use this library; we don't enable the features that would make it vulnerable, so it's a false positive. See Support Content Notification - Support Portal - Broadcom support portal . | |
CVE-2025-55752 (GHSA-wmwf-9ccg-fff5) | High | Description: Relative Path Traversal vulnerability in RewriteValve due to improper URL normalization order Attack Vector: Network-based attack via malicious rewrite rules Impact: Security constraint bypass for /WEB-INF/ and /META-INF/ directories, potential RCE if PUT requests enabled Weakness: CWE-23 (Relative Path Traversal) Exploitability: Attackers can manipulate query parameters in rewrite rules to bypass security constraints Available Patched Versions: 10.1.45, 11.0.9 Required Action: Upgrade to version 10.1.45 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-48988 (GHSA-h3gc-qfqq-6h8f) | High | Available Patched Versions: 10.1.42 Required Action: Upgrade to version 10.1.42 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-48989 (GHSA-gqp3-2cvr-x8m3)
| High | Available Patched Versions: 10.1.44 Required Action: Upgrade to version 10.1.44 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-31650 (GHSA-3p2h-wqq4-wf4h) | Medium | Available Patched Versions: 10.1.40 Required Action: Upgrade to version 10.1.40 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-49125 (GHSA-wc4r-xq3c-5cf3)
| Medium | Description: Security constraint bypass for pre/post-resources Available Patched Versions: 10.1.42 Required Action: Upgrade to version 10.1.42 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-49124 (GHSA-42wg-hm62-jcwg) | Medium | Available Patched Versions: 10.1.42 Required Action: Upgrade to version 10.1.42 or later Customer impact: False positive: this is related to the Apache tomcat Windows installer, not the library. |
CVE-2025-31651 (GHSA-ff77-26x5-69cr) | Low | Available Patched Versions: 10.1.40 Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-46701 (GHSA-h2fw-rfh5-95r3), GHSA-vfww-5hm6-hx2j, GHSA-hgrr-935x-pq79
| Low | Available Patched Versions: 10.1.41-10.1.47 Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
Spring Framework Components
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
Spring-boot CVE-2025-22235 (GHSA-rc42-6c7j-7h5r) | HIGH - CVSS 3.1 Score: 7.3 | Current Version: 3.4.2 Description: EndpointRequest.to() creates incorrect matcher (null/**) when actuator endpoint is disabled or not exposed Attack Vector: Network-based, low complexity, no authentication required Impact: Missing authorization - unauthorized access to restricted endpoints Weakness: CWE-20 (Improper Input Validation), CWE-862 (Missing Authorization) Conditions for Exploitation: Application uses Spring Security with EndpointRequest.to() for disabled/unexposed actuator endpoints Available Patched Versions: 3.4.5, 3.3.11 Required Action: Upgrade to version 3.4.5 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
Spring-core CVE-2025-41249 (GHSA-jmp9-x22r-554x)
| HIGH - CVSS 3.1 Score: 7.5 | Current Version: 6.2.2 Description: Annotation detection mechanism fails to resolve annotations on methods within type hierarchies with parameterized super types Attack Vector: Network-based, affects authorization decisions Impact: Improper authorization - confidentiality compromise Weakness: CWE-863 (Incorrect Authorization) Conditions for Exploitation: Using Spring Security's @EnableMethodSecurity with security annotations on methods in generic superclasses/interfaces Available Patched Versions: 6.2.11 Required Action: Upgrade to version 6.2.11 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
CVE-2025-49146 (GHSA-hq9p-pm7w-8p54) | HIGH - CVSS 3.1 Score: 8.2 | Current Version: 42.7.4 Patched Versions: 42.7.7 Required Action: Upgrade to version 42.7.7 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
spring-web GHSA-6r3c-xf4w-jxjm | Medium | Current Version: 6.2.2 Available Patched Versions: 6.2.8 Required Action: Upgrade to version 6.2.8 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
spring-webmvc GHSA-r936-gwx5-v52f | Medium | Current Version: 6.2.2 Available Patched Versions: 6.2.10 Required Action: Upgrade to version 6.2.10 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
spring-context GHSA-4wp7-92pw-q264 | Low | Current Version: 6.2.2 Available Patched Versions: 6.2.7 Required Action: Upgrade to version 6.2.7 or later Customer impact: None. We use this library; we don't use the features that could make it vulnerable. |
Other Components
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
grpc-netty-shaded GHSA-prj3-ccx8-p6x4 | High | Current Version: 1.71.0 Available Patched Versions: 1.75.0 Required Action: Upgrade to version 1.75.0 or later Customer impact: None, we do not use this library. |
logback-core GHSA-25qh-j22f-pwp8 | Medium | Current Version: 1.5.16 Available Patched Versions: 1.5.19 Required Action: Upgrade to version 1.5.19 or later Customer impact: None, we do not use this library. |
Liquibase Checks Extension CVEs - Python HTTP Client Library - urllib3
Customer impact: if the customer is not using Python checks, they are not affected. Otherwise, see specific impacts for the CVEs.
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
CVE-2023-45803 | High | Description: HTTP request body not stripped during redirects with status codes 301, 302, or 303 when request method changes from POST to GET Attack Vector: Network-based, requires compromised trusted service Impact: Sensitive information in HTTP request body (form data, JSON) leaked to malicious redirect targets Weakness: CWE-200 (Exposure of Sensitive Information) Exploitability: Low - requires previously trusted service to become compromised and start redirecting to malicious peers Conditions for Exploitation: - Using urllib3 and submitting sensitive information in HTTP request body - Origin service is compromised and redirecting using 301, 302, or 303 to malicious peer Available Patched Versions: 1.26.18, 2.0.7 or later Required Action: Upgrade to version 1.26.18 (latest in 1.x line) Customer impact: Liquibase checks do not use this library, it is provided to users so they can use it to write their own custom checks. |
CVE-2023-43804 | MEDIUM (CVSS 3.1 Score: 5.9) | Description: Cookie HTTP header not stripped during cross-origin redirects Attack Vector: Network-based, high complexity, requires authentication Impact: Exposure of sensitive information to unauthorized actors - cookie leakage during redirects Weakness: CWE-200 (Exposure of Sensitive Information) Exploitability: Attacker can trick users into connecting to a malicious server that presents legitimate TLS certificates with spoofed Common Names. Requires user to specify Cookie header AND the service redirecting to different origin without explicitly disabling redirects Conditions for Exploitation: -Using the affected urllib3 version - Using Cookie header on requests - Not disabling automatic redirects - Service performing cross-origin redirects Available Patched Versions: 1.26.17, 2.0.5 or later Required Action: Upgrade to version 1.26.18 (latest in 1.x line to avoid breaking changes from 2.x) Customer impact: Liquibase checks do not use this library; it is provided to users so they can use it to write their own custom checks. |
SQL Parsing Library - sqlparse
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
CVE-2023-30608 | HIGH | Current Version: 0.4.3
Description: Regular Expression Denial of Service (ReDoS) vulnerability
Attack Vector: Application-level attack via specially crafted SQL input
Impact: Denial of Service - application becomes unresponsive due to catastrophic backtracking in regex matching
Weakness: CWE-1333 (Inefficient Regular Expression Complexity)
Exploitability: Attacker can provide malicious SQL queries that cause excessive CPU consumption and application hang
Available Patched Versions: 0.5.0 or later
Required Action: Upgrade to version 0.5.3 (latest stable release)
Customer impact: Low. This library is used by the Liquibase Python utility |
CVE-2024-4340 | HIGH (CVSS 3.1 Score: 7.5) | Description: Denial of Service via heavily nested lists in parse() function
Attack Vector: Network-based, low complexity, no authentication required
Impact: High availability impact - application crash or hang when processing deeply nested SQL structures
Weakness: CWE-674 (Uncontrolled Recursion) or similar resource exhaustion
Exploitability: Attacker can craft SQL queries with deeply nested list structures that exhaust stack space or cause infinite recursion
Conditions for Exploitation:
Application uses sqlparse to parse untrusted SQL input
Attacker can control SQL query content sent to parser
Available Patched Versions: 0.5.0 or later
Required Action: Upgrade to version 0.5.3 (latest stable release)
Customer impact: Low. This library is used by liquibase python utility |
Python Package Installer - pip
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
CVE-2018-20225 | Disputed and marked WONTFIX by pip developers (typically MEDIUM) | Description: Improper input validation vulnerability in pip Attack Vector: Depends on specific attack scenario Impact: Potential for arbitrary code execution or unauthorized access depending on exploitation vector Note: This is a very old CVE from 2018. All pip versions are "affected" by this disputed CVE. Even GraalVM 25 with the latest pip will still trigger the scanner warning. Exploitability: Generally low in modern environments where pip has been updated multiple times since 2018 Recommendation: Suppress this CVE in your scanner config with a note that it's disputed and doesn't affect your use case. Customer impact: None, pip is not used with checks. |