Dependency Security issue CVE-2025-55163

Community Support
,
1

Hi there.

Any one know how to fix this vulnerability dependency report about grpc dependency vulnerability CVE-2025-55163?

image
image821×285 6.63 KB

2 Likes
2

You should update your version of `gRPC` your application uses to the latest.

For gradle that would be:
implementation ‘io.grpc:grpc-bom:1.75.0’

Depending on your build system it would be slightly different https://mvnrepository.com/artifact/io.grpc/grpc-bom/1.75.0

I will note this vulnerability does not apply to the Java SDK since the Java SDK is a client not a server, but most vulnerability detection tools don’t understand that distinction.

Why temporal java sdk is using an older version of grpc-netty-shaded
3

I’ve tried to do this, importing this dependency directly on my poject and excluding from temporal java sdk, just like this:

<!-- https://mvnrepository.com/artifact/io.grpc/grpc-netty-shaded -->
<dependency>
    <groupId>io.grpc</groupId>
    <artifactId>grpc-netty-shaded</artifactId>
    <version>1.75.0</version>
</dependency>
<!-- Temporal SDK -->
<dependency>
    <groupId>io.temporal</groupId>
    <artifactId>temporal-sdk</artifactId>
    <version>1.31.0</version>
    <exclusions>
        <exclusion>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-netty-shaded</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>

But when I try to execute my application i got this error:

Caused by: java.lang.NoClassDefFoundError: io/grpc/ForwardingChannelBuilder2
at java.base/java.lang.ClassLoader.defineClass1(Native Method) ~[na:na]
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027) ~[na:na]
at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639) ~[na:na]
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) ~[na:na]
at io.temporal.serviceclient.ChannelManager.prepareChannel(ChannelManager.java:206) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.ChannelManager.(ChannelManager.java:118) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.ChannelManager.(ChannelManager.java:98) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.WorkflowServiceStubsImpl.(WorkflowServiceStubsImpl.java:84) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.WorkflowServiceStubs.newServiceStubs(WorkflowServiceStubs.java:66) ~[temporal-serviceclient-1.28.4.jar:1.28.4]

Do you know how to solve this?

4

any one figure out how to fix it?

@temporal , could you release a new version of java sdk?

5

@edermaxc please see my instructions above. You can’t mix and match different version of gprc libraries you need to update them all as per my instructions.

6

@Quinn_Klassen how about excluding the grpc bom from temporal and using the updated grpc bom ?

<dependency>
            <groupId>io.temporal</groupId>
            <artifactId>temporal-spring-boot-starter</artifactId>
            <version>1.30.1</version>
            <exclusions>
                <exclusion>
                    <groupId>io.grpc</groupId>
                    <artifactId>grpc-bom</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

                <dependency>
                    <groupId>io.grpc</groupId>
                    <artifactId>grpc-bom</artifactId>
                    <version>1.75.0</version>
                    <type>pom</type>
                </dependency>
7

The solution works after adding <scope>import</scope> to the grpc-bom dependency.
@Quinn_Klassen

@edermaxc

8

Hi @Quinn_Klassen

I tried applying the suggested fix to upgrade gRPC to the latest version by adding:

<dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-bom</artifactId>
            <version>1.76.1</version>
            <type>pom</type>
        </dependency>

However, I’m still running into the following error:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.temporal.testing.TestWorkflowEnvironment]: Factory method 'testWorkflowEnvironment' threw exception with message: io/grpc/internal/AbstractServerImplBuilder
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
        ... 176 more
Caused by: java.lang.NoClassDefFoundError: io/grpc/internal/AbstractServerImplBuilder
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027)
        at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
        at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
        at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
        at io.temporal.testserver.TestServer.createServer(TestServer.java:99)
        at io.temporal.testing.TestWorkflowEnvironmentInternal.<init>(TestWorkflowEnvironmentInternal.java:77)
        at io.temporal.testing.TestWorkflowEnvironment.newInstance(TestWorkflowEnvironment.java:87)
        at io.temporal.spring.boot.autoconfigure.TestServerAutoConfiguration.testWorkflowEnvironment(TestServerAutoConfiguration.java:123)
        at io.temporal.spring.boot.autoconfigure.TestServerAutoConfiguration$$SpringCGLIB$$0.CGLIB$testWorkflowEnvironment$0(<generated>)
        at io.temporal.spring.boot.autoconfigure.TestServerAutoConfiguration$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
        at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
        at io.temporal.spring.boot.autoconfigure.TestServerAutoConfiguration$$SpringCGLIB$$0.testWorkflowEnvironment(<generated>)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
        ... 179 more

My environment:

  • Spring Boot 3.5.7

  • Temporal 1.31.0 (via temporal-spring-boot-starter) - based on gRPC 1.58.x

  • Java 21

  • gRPC 1.76.1

It looks like Temporal’s testing module may have a compile-time dependency on internal gRPC classes that were removed or relocated in newer gRPC releases.

Has anyone run into this, or is there a known compatibility issue between Temporal 1.31.x and gRPC 1.76+? Any guidance on which gRPC version is safe to use with the Temporal test server would be appreciated.

Thanks!