[Aikido] Fix 40 security issues in spring-boot-starter-test, spring-boot-starter-web, tomcat-embed-core and 1 more

[aikido-autofix]

Upgrade dependencies to fix critical Tomcat vulnerabilities: RCE via path equivalence and JSP compilation race conditions, rewrite rule bypass, input validation flaws, and digest authentication bypass.

⚠️ Breaking changes analysis not available for: org.springframework.boot:spring-boot-starter-test, org.springframework.boot:spring-boot-starter-web

✅ No breaking changes for: org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat.embed:tomcat-embed-websocket

✅ 40 CVEs resolved by this upgrade, including 8 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-24813	🚨 CRITICAL	[tomcat-embed-core] Path traversal vulnerability in the default servlet with write permissions enabled allows attackers to access sensitive files or execute remote code through partial PUT requests and path equivalence exploitation.
CVE-2024-50379	🚨 CRITICAL	[tomcat-embed-core] TOCTOU race condition in JSP compilation on case-insensitive filesystems with writable default servlet allows remote code execution. Affects systems with non-default write-enabled servlet configuration.
CVE-2025-31651	🚨 CRITICAL	[tomcat-embed-core] Improper neutralization of escape sequences in rewrite rules allows specially crafted requests to bypass security constraints under specific configurations. This could lead to unauthorized access if rewrite rules enforce security policies.
CVE-2026-41293	🚨 CRITICAL	[tomcat-embed-core] Improper input validation vulnerability allows attackers to bypass security controls or trigger unexpected behavior. Potential impacts include remote code execution, denial of service, or information disclosure depending on exploitation context.
CVE-2026-43512	🚨 CRITICAL	[tomcat-embed-core] Digest authentication implementation contains flaws allowing attackers to bypass authentication mechanisms. This vulnerability enables unauthorized access to protected resources without valid credentials.
CVE-2025-55754	🚨 CRITICAL	[tomcat-embed-core] Improper neutralization of ANSI escape sequences in log messages allows attackers to inject sequences via crafted URLs to manipulate console output and clipboard on Windows systems, potentially tricking administrators into executing malicious commands.
CVE-2026-43515	🚨 CRITICAL	[tomcat-embed-core] Improper authorization in method constraints allows attackers to bypass HTTP method restrictions on specific file extensions, potentially enabling unauthorized access to protected resources.
CVE-2025-66614	🚨 CRITICAL	[tomcat-embed-core] Improper validation of SNI extension hostname against HTTP host header allows clients to bypass client certificate authentication by providing mismatched hostnames across multiple virtual hosts. This enables authentication bypass when certificate requirements differ between virtual hosts.
CVE-2025-48988	HIGH	[tomcat-embed-core] Uncontrolled resource allocation vulnerability allowing attackers to exhaust server resources and cause denial of service through unbounded memory or connection consumption.
CVE-2025-55752	HIGH	[tomcat-embed-core] Path traversal vulnerability allowing attackers to bypass security constraints like /WEB-INF/ protection through manipulated rewrite rules. Combined with enabled PUT requests, this could enable remote code execution.
CVE-2025-31650	HIGH	[tomcat-embed-core] Improper input validation in HTTP priority headers causes incomplete request cleanup, leading to memory leaks. Repeated malicious requests can trigger OutOfMemoryException and cause denial of service.
CVE-2025-48989	HIGH	[tomcat-embed-core] Improper resource shutdown vulnerability allows attackers to exploit the "made you reset" attack, potentially causing denial of service or connection manipulation through improper HTTP connection handling.
CVE-2025-52520	HIGH	[tomcat-embed-core] Integer overflow in multipart upload handling allows bypassing size limits, leading to denial of service attacks in specific configurations.
CVE-2026-24734	HIGH	[tomcat-embed-core] Improper input validation in OCSP responder handling fails to verify response freshness and completion, allowing certificate revocation to be bypassed. This enables attackers to use revoked certificates for authentication or encryption.
CVE-2026-24880	HIGH	[tomcat-embed-core] HTTP request smuggling vulnerability via invalid chunk extension allows attackers to bypass security controls and potentially execute arbitrary code or manipulate request handling.
CVE-2026-34483	HIGH	[tomcat-embed-core] Improper encoding in JsonAccessLogValve allows injection of malicious content into JSON access logs, potentially enabling log manipulation and code injection attacks.
CVE-2026-34487	HIGH	[tomcat-embed-core] Kubernetes bearer tokens are exposed in log files through the cloud membership clustering component, allowing information disclosure to unauthorized users with log access.
CVE-2026-41284	HIGH	[tomcat-embed-core] Uncontrolled resource allocation vulnerability allows attackers to exhaust server resources through unlimited allocation requests, leading to denial of service.
CVE-2026-43513	HIGH	[tomcat-embed-core] Improper case sensitivity handling in LockOutRealm allows attackers to bypass account lockout protections through case-variant usernames, potentially enabling unauthorized access.
CVE-2026-42498	HIGH	[tomcat-embed-core] HTTP Authentication headers are exposed to unexpected hosts during WebSocket authentication, allowing potential credential disclosure to unauthorized parties.
CVE-2024-56337	HIGH	[tomcat-embed-core] A TOCTOU race condition in the default servlet on case-insensitive file systems with write enabled allows attackers to bypass security checks. This incomplete mitigation of CVE-2024-50379 could lead to unauthorized file access or modification.
CVE-2025-49125	MEDIUM	[tomcat-embed-core] Authentication bypass vulnerability allowing access to PreResources/PostResources via alternate paths, bypassing security constraints that protect the expected paths.
CVE-2026-25854	MEDIUM	[tomcat-embed-core] Open redirect vulnerability in LoadBalancerDrainingValve allows attackers to redirect users to untrusted sites. This could enable phishing attacks or malicious redirects to compromise user security.
CVE-2025-61795	MEDIUM	[tomcat-embed-core] Temporary files from multipart uploads aren't cleaned up immediately during errors, allowing disk space to fill faster than garbage collection can clear it, causing denial of service.
CVE-2025-49124	MEDIUM	[tomcat-embed-core] Untrusted search path vulnerability in Windows installer allows arbitrary code execution when icacls.exe is invoked without a full path, enabling privilege escalation during installation.
CVE-2025-53506	LOW	[tomcat-embed-core] An HTTP/2 client that fails to acknowledge initial settings frame can cause uncontrolled resource consumption by bypassing concurrent stream limits. This leads to potential denial of service through resource exhaustion.
CVE-2026-24733	LOW	[tomcat-embed-core] HTTP/0.9 requests are not properly validated, allowing attackers to bypass security constraints by sending HEAD requests to URIs configured to deny GET requests. This enables unauthorized access to protected resources through constraint bypass.
CVE-2026-43514	LOW	[tomcat-embed-core] Observable timing discrepancy in AJP secret comparison allows attackers to bypass authentication through timing analysis attacks.
CVE-2025-46701	LOW	[tomcat-embed-core] Improper case sensitivity handling in CGI servlet allows bypass of security constraints applied to URI path components. This enables attackers to circumvent access controls.
CVE-2025-41249	HIGH	[spring-core] Spring Framework's annotation detection may fail to resolve security annotations on methods in generic superclasses, potentially bypassing authorization checks when using Spring Security's @EnableMethodSecurity feature.
CVE-2025-41234	MEDIUM	[spring-core] A reflected file download (RFD) vulnerability exists in ContentDisposition header handling when filenames derived from unsanitized user input are set with non-ASCII charsets, allowing attackers to inject malicious commands into downloaded content.
CVE-2025-41242	MEDIUM	[spring-core] A path traversal vulnerability exists in Spring Framework MVC applications when deployed on non-compliant Servlet containers that don't reject suspicious URI sequences, allowing attackers to access static resources outside intended directories. This could lead to unauthorized information disclosure or remote code execution depending on the resources exposed.
CVE-2025-22233	LOW	[spring-core] A bypass vulnerability exists in disallowedFields validation that allows attackers to circumvent field binding restrictions through locale-dependent case conversion, potentially enabling unauthorized data binding and remote code execution.
AIKIDO-2026-10661	HIGH	[spring-boot] A timing attack vulnerability in DevTools remote secret comparison allows attackers on the same network to infer the secret through repeated measurements, potentially leading to unauthorized class uploads and remote code execution.
AIKIDO-2026-10660	HIGH	[spring-boot] Insecure temporary directory handling allows a local attacker to predict and take control of temp directories without ownership verification. This enables session hijacking or remote code execution when persistent sessions are enabled.
AIKIDO-2026-10581	MEDIUM	[spring-boot] ApplicationPidFileWriter improperly follows symlinks when writing PID files at predictable paths, allowing local attackers with write access to cause arbitrary file corruption on application startup.
AIKIDO-2026-10583	MEDIUM	[spring-boot] A weak pseudo-random number generator is used for ${random.value}, generating predictable values unsuitable for secrets. This can weaken tokens, passwords, and other security-sensitive data derived from these properties.
AIKIDO-2026-10584	MEDIUM	[spring-boot] Improper validation of certificate hostnames in Cassandra auto-configuration allows TLS connections to trust certificates without verifying they match the intended server hostname, enabling man-in-the-middle attacks against Cassandra traffic.
CVE-2025-22235	HIGH	[spring-boot] EndpointRequest.to() incorrectly creates a matcher for null/** when the referenced actuator endpoint is disabled or not exposed, potentially allowing unauthorized access to /null paths that should be protected by Spring Security.
CVE-2026-40973	HIGH	[spring-boot] A local attacker can hijack the predictable ApplicationTemp directory to read session data and hijack authenticated users or execute arbitrary code when persistent sessions are enabled, potentially persisting across application restarts.