From a1cdbdcb6fc5a3df0f60acba75bd010d81d09590 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Fri, 5 Dec 2025 10:43:03 +0100
Subject: [PATCH] [CHK-12903] Fix dependabot alert 29 (org.mozilla:rhino)
 (#304)

---
 openapi-validation-core/build.gradle | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/openapi-validation-core/build.gradle b/openapi-validation-core/build.gradle
index 4a2962fc..3d59b07a 100644
--- a/openapi-validation-core/build.gradle
+++ b/openapi-validation-core/build.gradle
@@ -10,6 +10,9 @@ dependencies {
         implementation(libs.commons.codec) {
             because 'Apache commons-codec before 1.13 is vulnerable to information exposure. See https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/'
         }
+        implementation('org.mozilla:rhino:1.7.14.1') {
+            because 'CVE-2025-66453: Rhino before 1.7.14.1 has high CPU usage and potential DoS when passing specific numbers to toFixed() function. See https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x'
+        }
 //        implementation('org.yaml:snakeyaml:1.33') {
 //            because 'Vulnerability in 1.33 is not yet fixed. See: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in' +
 //                    'https://devhub.checkmarx.com/cve-details/CVE-2022-41854/' +