Thursday, September 1, 2022

Re: Security Vulnerabilities with GWT 2.10

On Thursday, September 1, 2022 at 11:57:07 AM UTC+2 wrote:
Thanks for response.

There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below -
CVE - CVE-2022-29546
severity  - 7.5 
Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption.

Are there any plans to mitigate above vulnerablity?
As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

It depends whether you a) use GWTTestCase b) run them with the HtmlUnit runner c) those tests load external resources not under your control (that could contain the processing instruction triggering the OOME)

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment