Spring Boot Test Dependency Exposed: Critical 9.8 CVSS Vulnerability in HtmlUnit 2.70.0

A critical security flaw with a maximum severity score of 9.8 has been identified within a core testing library used by the Spring Boot framework. The vulnerable component, `htmlunit-2.70.0.jar`, is a direct dependency in the official `spring-boot-test-autoconfigure` module, exposing a wide range of Java applications that rely on this popular framework for automated web testing. The vulnerability, tracked as CVE-2023-26119, is rated critical and has a publicly available proof-of-concept exploit, significantly increasing the immediate risk of compromise.

The issue stems from HtmlUnit, a headless browser library designed for testing web applications. The vulnerable version, 2.70.0, is actively pulled into projects via the standard Gradle build path. The finding reveals that this is not an isolated flaw; the library harbors a total of seven documented vulnerabilities. Alongside the critical 9.8-rated CVE, a high-severity 7.5-rated vulnerability (CVE-2023-36478) is also present, compounding the security exposure. The path to the compromised file is deep within the standard Gradle cache, indicating automatic and widespread inclusion in development and CI/CD pipelines.

The presence of these vulnerabilities in a foundational testing library creates a substantial supply chain risk. Because HtmlUnit is embedded within Spring Boot's official testing utilities, countless projects may be inadvertently vulnerable without direct developer awareness. A remediation is technically available—upgrading the dependency to version 3.0.0—but the transitive nature of the dependency requires explicit action to override. This situation places pressure on development and security teams to audit their build configurations immediately, as the exploit maturity and high EPSS score signal active targeting is a distinct possibility.