Merge branch 'suppress-netty-cves'

albin-mullvad · albin-mullvad · commit 39125664d7e5 · 2025-03-12T21:42:28.000+01:00
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
@@ -64,7 +64,7 @@ reason = "No impact since the app doesn't process externally crafted XML."
 # netty: Denial of Service attack on windows app
 [[IgnoredVulns]]
 id = "CVE-2024-47535" # GHSA-xq3w-v528-46rv
-ignoreUntil = 2025-02-13
+ignoreUntil = 2025-06-13
 reason = "Only impacting Windows."
 
 # Several vulns related to bouncy castle that is only being used by lint.
@@ -75,3 +75,15 @@ ecosystem = "Maven"
 ignore = true
 effectiveUntil = 2025-05-02
 reason = "Used by lint and not the app directly."
+
+# netty: Denial of Service attack on windows app
+[[IgnoredVulns]]
+id = "CVE-2025-25193" # GHSA-389x-839f-4rhx
+ignoreUntil = 2025-06-13
+reason = "Only impacting Windows."
+
+# netty: Crash when using native SSLEngine
+[[IgnoredVulns]]
+id = "CVE-2025-24970" # GHSA-4g8c-wm8x-jfhw
+ignoreUntil = 2025-06-13
+reason = "Netty is not used in conjunction with SSL."
