Hi there.
Any one know how to fix this vulnerability dependency report about grpc dependency vulnerability CVE-2025-55163?
2 Likes
You should update your version of `gRPC` your application uses to the latest.
For gradle that would be:
implementation ‘io.grpc:grpc-bom:1.75.0’
Depending on your build system it would be slightly different https://mvnrepository.com/artifact/io.grpc/grpc-bom/1.75.0
I will note this vulnerability does not apply to the Java SDK since the Java SDK is a client not a server, but most vulnerability detection tools don’t understand that distinction.
I’ve tried to do this, importing this dependency directly on my poject and excluding from temporal java sdk, just like this:
<!-- https://mvnrepository.com/artifact/io.grpc/grpc-netty-shaded -->
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty-shaded</artifactId>
<version>1.75.0</version>
</dependency>
<!-- Temporal SDK -->
<dependency>
<groupId>io.temporal</groupId>
<artifactId>temporal-sdk</artifactId>
<version>1.31.0</version>
<exclusions>
<exclusion>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty-shaded</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
But when I try to execute my application i got this error:
Caused by: java.lang.NoClassDefFoundError: io/grpc/ForwardingChannelBuilder2
at java.base/java.lang.ClassLoader.defineClass1(Native Method) ~[na:na]
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027) ~[na:na]
at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681) ~[na:na]
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639) ~[na:na]
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) ~[na:na]
at io.temporal.serviceclient.ChannelManager.prepareChannel(ChannelManager.java:206) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.ChannelManager.(ChannelManager.java:118) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.ChannelManager.(ChannelManager.java:98) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.WorkflowServiceStubsImpl.(WorkflowServiceStubsImpl.java:84) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
at io.temporal.serviceclient.WorkflowServiceStubs.newServiceStubs(WorkflowServiceStubs.java:66) ~[temporal-serviceclient-1.28.4.jar:1.28.4]
Do you know how to solve this?
any one figure out how to fix it?
@temporal , could you release a new version of java sdk?
@edermaxc please see my instructions above. You can’t mix and match different version of gprc libraries you need to update them all as per my instructions.
@Quinn_Klassen how about excluding the grpc bom from temporal and using the updated grpc bom ?
<dependency>
<groupId>io.temporal</groupId>
<artifactId>temporal-spring-boot-starter</artifactId>
<version>1.30.1</version>
<exclusions>
<exclusion>
<groupId>io.grpc</groupId>
<artifactId>grpc-bom</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-bom</artifactId>
<version>1.75.0</version>
<type>pom</type>
</dependency>
The solution works after adding <scope>import</scope> to the grpc-bom dependency.
@Quinn_Klassen