From 3e9c2dbfc5b8342169df7554476ea0ed11a4b630 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Feb 2026 17:22:23 +0000
Subject: [PATCH 1/5] Initial plan


From 47355ff457290316df400c03e2bcdb43601c865c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Feb 2026 17:29:23 +0000
Subject: [PATCH 2/5] fix(tunnel-server): override vulnerable spring security
 and tomcat versions

Co-authored-by: hengyunabc <1683936+hengyunabc@users.noreply.github.com>
---
 tunnel-server/pom.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/tunnel-server/pom.xml b/tunnel-server/pom.xml
index 8308e83a31..08dba972c8 100644
--- a/tunnel-server/pom.xml
+++ b/tunnel-server/pom.xml
@@ -15,6 +15,8 @@
 		<maven.compiler.target>1.8</maven.compiler.target>
 		<maven.compiler.source>1.8</maven.compiler.source>
 		<java.version>1.8</java.version>
+		<spring-security.version>5.8.16</spring-security.version>
+		<tomcat-embed-core.version>9.0.98</tomcat-embed-core.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 	</properties>
@@ -36,6 +38,31 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat-embed-core.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-config</artifactId>
+                <version>${spring-security.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-web</artifactId>
+                <version>${spring-security.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-core</artifactId>
+                <version>${spring-security.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-crypto</artifactId>
+                <version>${spring-security.version}</version>
+            </dependency>
 		</dependencies>
 	</dependencyManagement>
 

From 0d66fcad25468949854d8b922afdf67ddb1b687e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Feb 2026 17:30:36 +0000
Subject: [PATCH 3/5] chore(tunnel-server): align dependency management
 formatting

Co-authored-by: hengyunabc <1683936+hengyunabc@users.noreply.github.com>
---
 tunnel-server/pom.xml | 50 +++++++++++++++++++++----------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/tunnel-server/pom.xml b/tunnel-server/pom.xml
index 08dba972c8..cc4ec2ef05 100644
--- a/tunnel-server/pom.xml
+++ b/tunnel-server/pom.xml
@@ -38,31 +38,31 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
-            <dependency>
-                <groupId>org.apache.tomcat.embed</groupId>
-                <artifactId>tomcat-embed-core</artifactId>
-                <version>${tomcat-embed-core.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.springframework.security</groupId>
-                <artifactId>spring-security-config</artifactId>
-                <version>${spring-security.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.springframework.security</groupId>
-                <artifactId>spring-security-web</artifactId>
-                <version>${spring-security.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.springframework.security</groupId>
-                <artifactId>spring-security-core</artifactId>
-                <version>${spring-security.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.springframework.security</groupId>
-                <artifactId>spring-security-crypto</artifactId>
-                <version>${spring-security.version}</version>
-            </dependency>
+			<dependency>
+				<groupId>org.apache.tomcat.embed</groupId>
+				<artifactId>tomcat-embed-core</artifactId>
+				<version>${tomcat-embed-core.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-config</artifactId>
+				<version>${spring-security.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-web</artifactId>
+				<version>${spring-security.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-core</artifactId>
+				<version>${spring-security.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-crypto</artifactId>
+				<version>${spring-security.version}</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

From 820f5012b7094c9f840486b8825171677f52a360 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Feb 2026 17:32:59 +0000
Subject: [PATCH 4/5] fix(tunnel-server): upgrade tomcat embed core to 9.0.109

Co-authored-by: hengyunabc <1683936+hengyunabc@users.noreply.github.com>
---
 tunnel-server/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tunnel-server/pom.xml b/tunnel-server/pom.xml
index cc4ec2ef05..5295c61039 100644
--- a/tunnel-server/pom.xml
+++ b/tunnel-server/pom.xml
@@ -16,7 +16,7 @@
 		<maven.compiler.source>1.8</maven.compiler.source>
 		<java.version>1.8</java.version>
 		<spring-security.version>5.8.16</spring-security.version>
-		<tomcat-embed-core.version>9.0.98</tomcat-embed-core.version>
+		<tomcat-embed-core.version>9.0.109</tomcat-embed-core.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 	</properties>

From e4ddb320a86a1331674742b4af6cc21e6c57cafc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Feb 2026 17:39:23 +0000
Subject: [PATCH 5/5] fix(tunnel-server): upgrade to spring boot 3.5.11
 dependency line

Co-authored-by: hengyunabc <1683936+hengyunabc@users.noreply.github.com>
---
 tunnel-server/pom.xml                         | 39 +++++++------------
 .../tunnel/server/app/WebSecurityConfig.java  | 21 ++++++----
 .../server/app/web/DetailAPIController.java   |  2 +-
 .../server/app/web/ProxyController.java       |  2 +-
 4 files changed, 30 insertions(+), 34 deletions(-)

diff --git a/tunnel-server/pom.xml b/tunnel-server/pom.xml
index 5295c61039..4802a805d0 100644
--- a/tunnel-server/pom.xml
+++ b/tunnel-server/pom.xml
@@ -12,11 +12,12 @@
 	<url>https://github.com/alibaba/arthas</url>
 
 	<properties>
-		<maven.compiler.target>1.8</maven.compiler.target>
-		<maven.compiler.source>1.8</maven.compiler.source>
-		<java.version>1.8</java.version>
-		<spring-security.version>5.8.16</spring-security.version>
-		<tomcat-embed-core.version>9.0.109</tomcat-embed-core.version>
+		<maven.compiler.target>17</maven.compiler.target>
+		<maven.compiler.source>17</maven.compiler.source>
+		<java.version>17</java.version>
+		<spring-boot.version>3.5.11</spring-boot.version>
+		<slf4j.version>2.0.17</slf4j.version>
+		<logback.version>1.5.32</logback.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 	</properties>
@@ -39,29 +40,19 @@
 				<scope>import</scope>
 			</dependency>
 			<dependency>
-				<groupId>org.apache.tomcat.embed</groupId>
-				<artifactId>tomcat-embed-core</artifactId>
-				<version>${tomcat-embed-core.version}</version>
+				<groupId>org.slf4j</groupId>
+				<artifactId>slf4j-api</artifactId>
+				<version>${slf4j.version}</version>
 			</dependency>
 			<dependency>
-				<groupId>org.springframework.security</groupId>
-				<artifactId>spring-security-config</artifactId>
-				<version>${spring-security.version}</version>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>${logback.version}</version>
 			</dependency>
 			<dependency>
-				<groupId>org.springframework.security</groupId>
-				<artifactId>spring-security-web</artifactId>
-				<version>${spring-security.version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.springframework.security</groupId>
-				<artifactId>spring-security-core</artifactId>
-				<version>${spring-security.version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.springframework.security</groupId>
-				<artifactId>spring-security-crypto</artifactId>
-				<version>${spring-security.version}</version>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
diff --git a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java
index efa3cf1455..376992b2c8 100644
--- a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java
+++ b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java
@@ -2,9 +2,11 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 
 import com.alibaba.arthas.tunnel.server.app.configuration.ArthasProperties;
 
@@ -14,17 +16,20 @@
  *
  */
 @Configuration
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
     @Autowired
     ArthasProperties arthasProperties;
-    @Override
-    protected void configure(HttpSecurity httpSecurity) throws Exception {
-        httpSecurity.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest()
-        .permitAll().and().formLogin();
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
+        httpSecurity.authorizeHttpRequests((authorize) -> authorize
+                .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
+                .anyRequest().permitAll()).formLogin(Customizer.withDefaults());
         // allow iframe
         if (arthasProperties.isEnableIframeSupport()) {
-            httpSecurity.headers().frameOptions().disable();
+            httpSecurity.headers((headers) -> headers.frameOptions((frameOptions) -> frameOptions.disable()));
         }
+        return httpSecurity.build();
     }
-}
\ No newline at end of file
+}
diff --git a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/DetailAPIController.java b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/DetailAPIController.java
index 31fd608cc2..9872f7e40d 100644
--- a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/DetailAPIController.java
+++ b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/DetailAPIController.java
@@ -7,7 +7,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/ProxyController.java b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/ProxyController.java
index 3c7630aa61..a93daead56 100644
--- a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/ProxyController.java
+++ b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/ProxyController.java
@@ -7,7 +7,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 import org.apache.commons.lang3.RandomStringUtils;
 import org.slf4j.Logger;