fix(deps): update dependency org.thymeleaf:thymeleaf to v3.1.4.release [security]#10249
Conversation
trusted-contributions-gcf
bot
added
the
kokoro:force-run
product-auto-label
bot
added
samples
kokoro-team
removed
the
kokoro:force-run
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Thymeleaf dependency version in the pom.xml file. The review feedback correctly identifies that the version 3.1.4.RELEASE does not exist in Maven Central due to a change in Thymeleaf's versioning scheme and suggests using 3.1.4 instead.
| <groupId>org.thymeleaf</groupId> | ||
| <artifactId>thymeleaf</artifactId> | ||
| <version>3.1.2.RELEASE</version> | ||
| <version>3.1.4.RELEASE</version> |
There was a problem hiding this comment.
The version 3.1.4.RELEASE does not exist in Maven Central. Starting with version 3.1.3, Thymeleaf has changed its versioning scheme and removed the .RELEASE suffix. The correct version to use is 3.1.4. Additionally, while this update addresses the SSTI vulnerabilities mentioned in the PR, please be aware that the application's templates (e.g., index.html) use th:utext to render user-controlled data such as headers and cookies, which introduces a significant Cross-Site Scripting (XSS) vulnerability. It is strongly recommended to switch to th:text for automatic HTML escaping.
| <version>3.1.4.RELEASE</version> | |
| <version>3.1.4</version> |
3 participants
This PR contains the following updates:
3.1.2.RELEASE→3.1.4.RELEASEWarning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2026-40477
Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.
Credits
Thanks to Thomas Reburn (Praetorian) for responsible disclosure.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HCVE-2026-40478
Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.
Credits
Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.