[Snyk] Fix for 2 vulnerabilities

[ISGA]

User description

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Validation of Syntactic Correctness of Input SNYK-JAVA-IOUNDERTOW-14908846	161	io.undertow:undertow-servlet: 2.3.2.Final -> 2.3.21.Final org.wildfly:wildfly-undertow: 29.0.0.Final -> 39.0.0.Final Major version upgrade No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-IOUNDERTOW-15053841	124	io.undertow:undertow-servlet: 2.3.2.Final -> 2.3.21.Final org.wildfly:wildfly-undertow: 29.0.0.Final -> 39.0.0.Final Major version upgrade No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

CodeAnt-AI Description

Upgrade Undertow and WildFly dependencies to fix reported security vulnerabilities

What Changed

• Updated Undertow Jakarta dependency from 2.3.2.Final to 2.3.21.Final to resolve input validation and resource-allocation vulnerabilities
• Set WildFly version to 39.0.0.Final in build profiles so modules use the updated Undertow-aligned WildFly artifacts
• Cleaned up POM contributors element formatting (no behavioral change)

Impact

✅ Fewer security vulnerabilities reported by scanners
✅ Safer HTTP handling against input validation exploits
✅ Fewer urgent dependency upgrade alerts during builds

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[amplify-security]

🔍 Amplify code check status:  

⚠️ 0 issues detected in   📄 1 file and   ❇️ 8 lines of code   🛠️ using Opengrep

Last updated by commit bfc13fb at 2026-01-25 09:37:42 UTC.

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Hardcoded version (upstream) The upstream-adapters profile also hardcodes <wildfly.version>39.0.0.Final</wildfly.version>. This may conflict with the earlier upstream.wildfly.version property (currently 29.0.0.Final) and lead to mixed dependency versions. Confirm intended version and unify approach. Hardcoded version (EAP8) The eap8-adapters profile sets <wildfly.version>39.0.0.Final</wildfly.version> as a literal. This duplicates a top-level / upstream property and can cause inconsistency with other profile/property-based versioning and downstream overrides. Prefer referencing an existing property to keep versions aligned.

[codeant-ai]

Suggestion: The new Undertow Jakarta version property is declared but not wired into the undertow.version property, so io.undertow:undertow-servlet and undertow-core still resolve to the legacy 2.2.24.Final line and the intended security upgrade to 2.3.21.Final never takes effect. [security]

Severity Level: Critical 🚨

- ❌ Undertow-servlet remains vulnerable at 2.2.24.Final.
- ❌ Undertow-core remains vulnerable at 2.2.24.Final.
- ⚠️ Snyk security upgrade does not take effect.
- ⚠️ Runtime uses legacy Undertow on server startup.

Suggested change

	<undertow.version>${undertow-legacy.version}</undertow.version>
	<undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
	<undertow-jakarta.version>2.3.2.Final</undertow-jakarta.version>
	<undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>
	<undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
	<undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>
	<undertow.version>${undertow-jakarta.version}</undertow.version>

Steps of Reproduction ✅

1. Open the PR final file at pom.xml and inspect the properties block around lines 124-126
(the properties section where undertow versions are declared). The file contains:

   - line 124: <undertow.version>${undertow-legacy.version}</undertow.version>

   - line 125: <undertow-legacy.version>2.2.24.Final</undertow-legacy.version>

   - line 126: <undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>

2. Build the project (mvn -DskipTests package) or run mvn dependency:tree on the module
that uses these properties. Maven will resolve io.undertow:undertow-servlet and
io.undertow:undertow-core using ${undertow.version} (line 124), which expands to
${undertow-legacy.version} -> 2.2.24.Final. Expected outcome: undertow dependencies remain
at 2.2.24.Final.

3. Observe that the new property undertow-jakarta.version (line 126) is defined but not
referenced by undertow.version, so the intended update to 2.3.21.Final does not take
effect and the vulnerable Undertow artifact versions are still used at runtime.

4. Conclusion: The suggestion to wire undertow.version to undertow-jakarta.version ensures
mvn dependency resolution picks 2.3.21.Final; without that change the Snyk upgrade is
ineffective. This reproduction follows the real Maven resolution path and the actual
property names present in pom.xml.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pom.xml
**Line:** 124:126
**Comment:**
	*Security: The new Undertow Jakarta version property is declared but not wired into the `undertow.version` property, so `io.undertow:undertow-servlet` and `undertow-core` still resolve to the legacy 2.2.24.Final line and the intended security upgrade to 2.3.21.Final never takes effect.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to bfc13fb.

Security Overview

• 🔎 Scanned files: 1 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/0e111b51-ae74-4faa-8067-84c4c8db1568?scanId=a7681d81-4302-4821-9e91-bef82bfc2d5d&codeScanTypes=PrScan&tab=issues

Detected Code Changes

| Change Type | Relevant files

[openhands-ai]

Looks like there are a few issues preventing this PR from being merged!

• GitHub Actions are failing:
  • Keycloak Operator CI
  • Keycloak CI
  • Keycloak Documentation
  • CodeQL
  • Keycloak Operator CI
  • Keycloak JavaScript CI
  • Keycloak CI
  • Automatic Dependency Submission (Maven)
  • Automatic Dependency Submission (Maven)

If you'd like me to help, just leave a comment, like

@OpenHands please fix the failing actions on PR #547 at branch `snyk-fix-870a5e45ce265b5caf447aa7eb3e24eb`

Feel free to include any additional details that might help me get this PR into a better state.

_{^{You can manage your notification settings}}