GHSA-hwvm-vfw8-93mw
MEDIUMVulnerable dependency in XTDB connector
Blast Radius
org.odpi.egeria:egeria-connector-xtdbReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable httpclient dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact within the connector we understand to be any URI used to configure connectivity to S3. Note therefore that if you do not use or configure S3 as a backing store in your use of the connector, you should not be exposed to any vulnerability from this component.
Patches
The problem has been addressed in version 4.5.13 of the httpclient library, which is included as a replacement dependency version for the build of the XTDB connector from release 3.5 onwards. Therefore, using release 3.5 (or newer) of the connector will include the fixes to address this CVE.
Workarounds
We have not investigated specific workarounds, but per the description of the issue it seems likely that ensuring the proper URIs are used for any S3 connectivity used by the connector (and ensuring there are appropriate controls around modifying such URIs in the connector's configuration) would be the first point of investigation.
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.odpi.egeria:egeria-connector-xtdb | all versions | 3.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.odpi.egeria:egeria-connector-xtdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.odpi.egeria:egeria-connector-xtdb to 3.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hwvm-vfw8-93mw is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hwvm-vfw8-93mw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-hwvm-vfw8-93mw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-hwvm-vfw8-93mw in your dependencies?
O3 detects GHSA-hwvm-vfw8-93mw across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.