Spring Boot Test Dependency Exposed: Critical 9.8 CVSS Vulnerability in htmlunit-driver-4.8.3

A critical security flaw with a maximum severity score of 9.8 has been flagged within a core testing dependency of the Spring Boot framework. The vulnerable library, `htmlunit-driver-4.8.3.jar`, is directly referenced in the official `spring-boot-test` project's build configuration, exposing a wide range of applications that rely on this standard component for automated web testing. This is not a theoretical risk; the specific vulnerability, CVE-2023-26119, has a publicly available proof-of-concept exploit, significantly raising the immediate threat level for any deployed system using this version.

The issue originates from a transitive dependency, `htmlunit-2.70.0.jar`, bundled within the Selenium HtmlUnit driver. The path to the vulnerable file is clearly traced within the Gradle build cache, confirming its direct inclusion. While a remediation is technically available—upgrading the underlying `htmlunit` library to version 3.0.0—the fix requires explicit action. The vulnerability's presence in a mainstream project like `spring-boot-test` suggests a potentially widespread, silent exposure across the Java ecosystem, as developers may unknowingly inherit this risk through their project's default test scaffolding.

The high 9.8 CVSS score indicates the flaw's potential for severe impact, likely enabling remote code execution or significant system compromise. The fact that this critical finding is linked to a foundational testing module underscores a systemic software supply chain risk. Organizations using Spring Boot for development must immediately audit their `build.gradle` files, specifically the `spring-boot-test` dependency path, to determine if they are pulling in the vulnerable `htmlunit-driver:4.8.3` and apply the available patch.