Re: OGNL Library vulnerability- CVE-2025-53192
Re: OGNL Library vulnerability- CVE-2025-53192
- Subject: Re: OGNL Library vulnerability- CVE-2025-53192
- From: Ramsey Gurley via Webobjects-dev <email@hidden>
- Date: Thu, 18 Sep 2025 13:08:40 -0500
I haven't used/tried it, but Hugi has something called Parsley here,
https://github.com/undur/Parsley
It appears to support a subset of what WOOgnl did using pure WO, so
maybe it works for you.
As for myself, I followed the wonder example and just never used inline
bindings in any of my components. I even converted an entire codebase to
wod bindings once. It's easier than it sounds, because there is a key
combo to convert inline bindings to wod bindings. Just ctrl-2 w.
Strangely WOLips doesn't seem to list the key combo in the
"Edit->Refactor->Convert Inline to WOD menu item" anymore. But if I open
a component, put the cursor in the HTML pane, and ctrl-2, a little
window appears indicating ctrl-2 w should still work.
That's my secret super power when removing inline bindings from
everything. You still have to migrate any of the Ognl with logic in them
to a java method, but nobody ever used those anyway, right? ;)
On 9/12/25 12:13 PM, Ricardo Parada via Webobjects-dev wrote:
Hi everyone,
I’ve been told that the ognl library used by WOOgnl has a vulnerability and
that the ognl project is retired and that no fix is planned.
The recommendation is to migrate to an alternative library or restrict access
to trusted users only.
Has anybody done this by any chance?
Thank you
Ricardo Parada
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden