fix: CVE-2025-48734

[subrata71]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

Fixes CVE-2025-48734

Automation

/ok-to-test tags="@tag.Sanity"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/17723760561
Commit: d71d66e
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Mon, 15 Sep 2025 08:40:18 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Upgraded the underlying input validation library to a newer version across server components to incorporate upstream fixes and improvements.
  • Improves overall stability and security with no expected changes to user-facing behavior.
  • Ensures continued compatibility with modern environments and reduces maintenance risks.

[coderabbitai]

Walkthrough

Dependency version bumps: commons-validator updated from 1.7 to 1.10.0 in two Maven modules. No scope or other changes.

Changes

Cohort / File(s)	Summary
Dependency bump: commons-validator app/server/appsmith-interfaces/pom.xml, app/server/appsmith-server/pom.xml	Update commons-validator version from 1.7 to 1.10.0 (scope unchanged: compile).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

Two POMs in sync, a tidy lift,
Validators freshened, version shift.
No code to tweak, no tests to mend,
A quiet bump from old to friend.
Ship it clean—onward we trend.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/CVE-2025-48734

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	❓ Inconclusive	The PR description correctly states it "Fixes CVE-2025-48734" and includes automation and Cypress results, but it is very brief and does not follow the repository's required template: it lacks motivation/context, a TL;DR or summary of the concrete code changes, explicit list of files and exact dependency/version changes, a link to the CVE advisory or issue URL, and impact/rollback/testing details. Because the description is vague and missing multiple required sections from the template, the check is inconclusive.	Please update the PR description to follow the repository template: add a short TL;DR and motivation, list the exact files changed and the precise dependency/version bump (for example commons-validator 1.7 → 1.10.0 in the affected POMs), and include a link to the CVE advisory or issue URL. Also add impact/compatibility notes, the tests performed (unit/integration/security) and any rollback or release notes, and indicate whether DevRel/Marketing should be informed. After those details are added and CI/tests are confirmed, re-request review so this check can be re-evaluated.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "fix: CVE-2025-48734" is concise, directly references the vulnerability being addressed, and aligns with the primary change in the changeset (a dependency bump to remediate the CVE), so it clearly communicates the PR's main intent for reviewers and release notes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

[subrata71]

/build-deploy-preview skip-tests=false

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/17667774690.
Workflow: On demand build Docker image and deploy preview.
skip-tests: false.
env: ``.
PR: 41223.
recreate: .

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

app/server/appsmith-interfaces/pom.xml (1)

127-131: Optional: enforce via Enforcer to prevent regressions.

Add Maven Enforcer “banDuplicatePomDependencyVersions”/“requireUpperBoundDeps” or explicitly pin BeanUtils=1.11.0 in dependencyManagement to avoid an accidental downgrade.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1cb5d9 and d71d66e.

📒 Files selected for processing (2)

• app/server/appsmith-interfaces/pom.xml (1 hunks)
• app/server/appsmith-server/pom.xml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: server-unit-tests / server-unit-tests

🔇 Additional comments (3)

app/server/appsmith-server/pom.xml (2)

186-189: Sanity: check validator behavior changes against URL/Email/Domain validation.

1.10.0/1.9.x included fixes around TLD handling and URL/IBAN routines; low risk but could tighten validation. Please run existing validations in CI to catch regressions. (commons.apache.org)

---

186-189: Verify commons-beanutils is 1.11.0

Good bump; should remediate CVE-2025-48734 (commons-validator 1.10.0 → commons-beanutils 1.11.0). Verification failed in the sandbox (mvn/rg unavailable) — run locally and confirm the transitive dependency:

mvn -q -pl app/server/appsmith-server -am dependency:tree -Dincludes=commons-beanutils:commons-beanutils
# Ensure output contains: commons-beanutils:commons-beanutils:jar:1.11.0

If any other dependency pulls an older commons-beanutils, enforce the patched version (add to app/server/appsmith-server/pom.xml or root dependencyManagement):

<dependencies>
+  <!-- Enforce patched BeanUtils for CVE-2025-48734 -->
+  <dependency>
+    <groupId>commons-beanutils</groupId>
+    <artifactId>commons-beanutils</artifactId>
+    <version>1.11.0</version>
+  </dependency>

app/server/appsmith-interfaces/pom.xml (1)

127-131: Version alignment looks good — commons-validator 1.10.0 present; verify transitive commons-beanutils

app/server/appsmith-interfaces/pom.xml contains commons-validator 1.10.0 (lines ~116–131); mvn wasn't available in the sandbox so I couldn't run dependency:tree to confirm transitive commons-beanutils versions.

Run locally: mvn -q -pl app/server/appsmith-interfaces -am dependency:tree -Dincludes=commons-beanutils:commons-beanutils — confirm no module brings commons-beanutils <1.11.0 (fix for CVE-2025-48734).

[github-actions]

Deploy-Preview-URL: https://ce-41223.dp.appsmith.com

[vivek-appsmith]

LGTM 👍