search

square / retrofit

A type-safe HTTP client for Android and the JVM
https://square.github.io/retrofit/
Apache License 2.0
43.11k stars 7.3k forks source link

[Security] Retrofit depends on an outdated version of okhttp with a high-severity vulnerability #4210

Closed the-gigi closed 3 months ago

the-gigi commented 3 months ago

Retrofit depends on okhttp 3.14.9 See: https://github.com/square/retrofit/blob/trunk/gradle/libs.versions.toml#L17

This is the last 3.x.x version of okhttp (released on May 2020, more than 4 years). This version depends on okio 1.17.2, which has the following high-severity vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3635

and also another vulnerability from its dependencies: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250

This causes retrofit to be marked as vulnerable in scans and compromises the security and compliance story of any library or application using retrofit.

Please upgrade okhttp to a secure version. All the 4.x.x of okhttp are secure.

btw, okhttp is moving to 5.x.x and has a 5.0.0-alpha release already.

JakeWharton commented 3 months ago

We are not upgrading OkHttp at this time. See https://github.com/square/retrofit/issues/4020#issuecomment-1870586604 for the plan.

Neither of those vulnerabilities are real problems. A thrown exception from GzipSource is always possible to create and the other is in a test library so not relevant.