Laurent T.

On my end, the reason I didn't question this is I wasn't expecting spring-boot to not be using the latest version. They decided not the backport the change to the 3.5 branch if you're curious: https://github.com/spring-projects/spring-boot/issues/46437 Also IntelliJ's dependency analyser doesn't tell me that the version is coming from spring-boot pining that version. Anyway thanks, problem solved ;)

Hi Scott. Indeed, I don't know how I missed that. Seems I'm having the same issue described in that other ticket. Sorry for the dup. I'll be more careful in the future.

Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0