Skip to content

[Snyk] Upgrade org.apache.cxf:cxf-rt-frontend-jaxrs from 3.2.1 to 3.6.10#249

Open
snyk-io[bot] wants to merge 1 commit into
masterfrom
snyk-upgrade-822b99c6a4c44604db31c7308bd9e87d
Open

[Snyk] Upgrade org.apache.cxf:cxf-rt-frontend-jaxrs from 3.2.1 to 3.6.10#249
snyk-io[bot] wants to merge 1 commit into
masterfrom
snyk-upgrade-822b99c6a4c44604db31c7308bd9e87d

Conversation

@snyk-io

@snyk-io snyk-io Bot commented Apr 27, 2026

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to upgrade org.apache.cxf:cxf-rt-frontend-jaxrs from 3.2.1 to 3.6.10.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 61 versions ahead of your current version.

  • The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
critical severity XML External Entity (XXE) Injection
SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754		 371 No Known Exploit
high severity Cross-site Scripting (XSS)
SNYK-JAVA-ORGAPACHECXF-1039798		 371 No Known Exploit
high severity Information Exposure
SNYK-JAVA-ORGAPACHECXF-3168313		 371 No Known Exploit
high severity Man-in-the-Middle (MitM)
SNYK-JAVA-ORGAPACHECXF-31691		 371 No Known Exploit
high severity Allocation of Resources Without Limits or Throttling
SNYK-JAVA-ORGAPACHECXF-10755067		 371 No Known Exploit
high severity Server-side Request Forgery (SSRF)
SNYK-JAVA-ORGAPACHECXF-3168315		 371 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JAVA-ORGAPACHECXF-8648831		 371 No Known Exploit
high severity Server-side Request Forgery (SSRF)
SNYK-JAVA-ORGAPACHECXF-7541912		 371 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135		 371 No Known Exploit
medium severity Cross-site Scripting (XSS)
SNYK-JAVA-ORGAPACHECXF-542666		 371 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-ORGAPACHECXF-480439		 371 No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-io
fix: upgrade org.apache.cxf:cxf-rt-frontend-jaxrs from 3.2.1 to 3.6.10
dd1d44e 
Snyk has created this PR to upgrade org.apache.cxf:cxf-rt-frontend-jaxrs from 3.2.1 to 3.6.10.

See this package in maven:
org.apache.cxf:cxf-rt-frontend-jaxrs

See this project in Snyk:
https://app.snyk.io/org/mojo-8USVNVZRuv9HZjtox22wyx/project/33aefcd8-06dc-4549-af43-7b145c8267b6?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr
@snyk-io

snyk-io Bot commented Apr 27, 2026

Copy link
Copy Markdown
Author

Merge Risk: High

Upgrading Apache CXF from version 3.2.1 to 3.6.10 is a high-risk operation that spans multiple major and minor releases. Significant breaking changes were introduced between these versions, requiring careful attention and likely code and environment modifications.

Key Breaking Changes:

  • Java Version Requirement: The most critical change is the Java baseline. Version 3.6.x requires a minimum of Java 11. Version 3.5.x was the last to support Java 8.
  • Removed Modules and Features:
    • The management-web module was removed in version 3.2.
    • Several data bindings have been removed, including jibx, sdo, and xmlbeans.
    • The old OATH 1.0 module was removed in version 3.5.
    • The Log4jLogger from CXF core was removed in version 3.4 in favor of Slf4jLogger.
    • Legacy Jetty 9.x Continuations support is removed in version 3.6.
  • Dependency Upgrades: There are numerous major dependency upgrades you need to be aware of, which may introduce transitive dependency conflicts:
    • Spring Framework: Upgraded to 5.x in version 3.3.
    • Spring Boot: Upgraded to 2.x in version 3.3.
    • Jetty: Upgraded to 9.4.x in 3.2 and then to 10 in 3.6.
    • Jackson: Upgraded to 2.11 in 3.4 and 2.13.x in 3.5.
    • Jakarta EE APIs: CXF has progressively adopted Jakarta EE dependencies. This might require managing javax.* and jakarta.* dependencies.

Recommendation:

Given the number of breaking changes, a direct upgrade is not recommended. You should:

  1. Upgrade your environment to Java 11 if you haven't already.
  2. Review the migration guides for each major version between 3.2 and 3.6 (3.3, 3.4, 3.5, 3.6) to understand the full scope of changes.
  3. Address removed modules and features by finding alternative implementations or migrating to newer APIs as suggested in the migration guides.
  4. Carefully manage dependency conflicts, especially with Spring, Jetty, and Jackson.

Source: Apache CXF Migration Guides

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@snyk-io

snyk-io Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Author

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants