From 47b574327bb5537c1eb9e598eb79d9ed6eb0fdc7 Mon Sep 17 00:00:00 2001
From: Rory Preddy <rorypreddy@gmail.com>
Date: Fri, 5 Dec 2025 09:54:47 +0200
Subject: [PATCH] Override protobuf-java version in milvus-store to fix
 CVE-2024-7254

The milvus-sdk-java 2.5.8 depends on protobuf-java 3.24.0 which is
vulnerable to CVE-2024-7254 (SNYK-JAVA-COMGOOGLEPROTOBUF-8055227)
Stack-based Buffer Overflow.

This fix adds a dependencyManagement section to override the transitive
protobuf-java dependency to use version 3.25.8 (defined in parent pom
as protobuf-java.version property) which contains the fix for this CVE.

Signed-off-by: Rory Preddy <rorypreddy@gmail.com>
---
 vector-stores/spring-ai-milvus-store/pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/vector-stores/spring-ai-milvus-store/pom.xml b/vector-stores/spring-ai-milvus-store/pom.xml
index 13e9ba3b55b..da654eb7ec9 100644
--- a/vector-stores/spring-ai-milvus-store/pom.xml
+++ b/vector-stores/spring-ai-milvus-store/pom.xml
@@ -41,6 +41,17 @@
 		<maven.compiler.source>17</maven.compiler.source>
 	</properties>
 
+	<!-- Override transitive protobuf-java to fix CVE-2024-7254 (SNYK-JAVA-COMGOOGLEPROTOBUF-8055227) -->
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>com.google.protobuf</groupId>
+				<artifactId>protobuf-java</artifactId>
+				<version>${protobuf-java.version}</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.ai</groupId>