Vulnerabilities in Spring AI Vector Stores dependencies

[nicolaskrier]

While analyzing dependencies in IntelliJ IDEA, I identified that some vector stores have the following vulnerabilities in vector database Java clients dependencies:

• Milvus: CVE-2025-55163 and CVE-2024-7254,
• Qdrant: CVE-2024-7254 and CVE-2025-55163,
• Typesense: CVE-2023-3635,
• Weaviate: CVE-2025-55163.

This might also be an opportunity to upgrade these vector database Java clients.

[nicolaskrier]

I have tried to use the latest version of Qdrant Java Client containing security fixes with a Spring AI 1.1.2 project but I got an exception by doing so:

java.lang.ClassNotFoundException: io.qdrant.client.grpc.Points$PointId

That is why I believe some modifications have to be applied on the code base to be able to use this latest version of Qdrant Java Client.

Another option could be just upgrading the dependencies having vulnerabilities like in this commit.