CVE-2025-55163 through grpc-netty-shaded-1.71.0.jar

[Aranduran]

Our OWASP scan is showing that both com.google.cloud:libraries-bom:26.69.0 which lists com.google.cloud:google-cloud-storage:2.53.0 depend on io.grpc:grpc-netty-shaded:1.71.0. I checked if using com.google.cloud:google-cloud-storage:2.58.1 would resolve it, but that uses the same version of grpc-netty-shaded. This version of grpc-netty-shaded has an open vulnerability, CVE-2025-55163 which is reported fixed in 1.75.0.

Few questions...
Are these libraries impacted by this vulnerability from the transitive dependency?
If so, is there a timeline for a fix?
If so, from my end, could constraining the grpc-netty-shaded to version 1.75.0+ cause functional issues for ?

Thank you!

If it's helpful for answering the question regarding constraining the version, I am using google-cloud-storage for file upload/download and metdata management, including com.google.cloud.storage and com.google.cloud.storage.transfermanager packages.

[BenWhitehead]

Please see googleapis/java-cloud-bom#7222 (comment) and googleapis/google-cloud-java#11757 (comment) for the details of where we are on fixing this, along with the assessment of the CVE's impact on this library.

[Aranduran]

Thank you!

[jmini]

Thank you for the statements and the assessment.

Please keep in mind that the SCA tools are raising issues at scale and require explanations on why this is a false positive. Those are not always accepted or require a lot of energy and arguments.

I would really recommend to update those libraries since this is the only way to keep everyone quiet. I guess this is the downside of automated SCA.

[BenWhitehead]

Pending PR with the work to upgrade grpc across all of the Google Cloud Java Libraries googleapis/sdk-platform-java#3942

This repo does not manage the version of grpc itself, instead we rely on the shared dependencies provided by the sdk-platform-java repo. Once things are updated there and released it will flow out in our next release that picks those up.