Dependency upgrade: replace wire-runtime-jvm with wire-runtime 6.3.0+ to address CVE-2026-45799

[fivetran-allisonrochelle]

kafka-protobuf-provider has a transitive dependency on com.squareup.wire:wire-runtime-jvm, which is affected by CVE-2026-45799 (GHSA-7xpr-hc2w-34m9, CVSS 7.5 High).

Dependency chain

kafka-protobuf-serializer
└─ kafka-protobuf-provider
└─ com.squareup.wire:wire-runtime-jvm ← affected

Vulnerability summary

The skipGroup() method in wire-runtime-jvm does not validate negative varint lengths before calling skip(). A crafted protobuf payload causes an unchecked ArrayIndexOutOfBoundsException at decode time, crashing services that only handle checked exceptions.

Full details: GHSA-7xpr-hc2w-34m9

Why upgrading kafka-protobuf-provider alone does not fix this

wire-runtime-jvm is a discontinued artifact. Square has not backported the fix to any 5.x release. The latest available version, 5.5.0 (shipped with kafka-protobuf-provider 8.2.1), does not contain the security fix. The fix exists only in the replacement artifact com.squareup.wire:wire-runtime:6.3.0+.

Requested change

Migrate kafka-protobuf-provider from com.squareup.wire:wire-runtime-jvm to com.squareup.wire:wire-runtime:6.3.0 or later.

References

• CVE-2026-45799
• GHSA-7xpr-hc2w-34m9: GHSA-7xpr-hc2w-34m9
• wire-runtime 6.3.0 release: https://github.com/square/wire/blob/master/CHANGELOG.md