Add ignore for new vuln

Upgrading AGP to 9.1.1 picked up a new CVE, it has no impact on the app but is part of the buildchain.
author: David Göransson <david.goransson@mullvad.net> 2026-04-21 09:15:21 +0200
committer: David Göransson <david.goransson@mullvad.net> 2026-04-21 15:01:24 +0200
commit: 8716fdf3f18a2a822f4d5e7817812d2bd76858b1 (patch)
tree: d8318b0ee79a3bc84e65191f8866ffcdbb5dcb8c
parent: b74cab07ceb186da2db38461cfdf0696cf36e594 (diff)
download: mullvadvpn-8716fdf3f18a2a822f4d5e7817812d2bd76858b1.tar.xz
mullvadvpn-8716fdf3f18a2a822f4d5e7817812d2bd76858b1.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
index a7335c2e69..fe51b7f6ef 100644
--- a/android/gradle/osv-scanner.toml
+++ b/android/gradle/osv-scanner.toml
@@ -114,3 +114,9 @@ reason = "The app does not use netty for external http communication"
 id = "CVE-2026-5588"  # GHSA-wg6q-6289-32hp
 ignoreUntil = 2026-08-01
 reason = "The app does not use dependency directly, it is used by AGP that builds the app, no impact on app"
+
+# Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
+[[IgnoredVulns]]
+id = "CVE-2025-48924"  # GHSA-j288-q9x7-2f5v
+ignoreUntil = 2026-08-01
+reason = "The app does not use dependency directly, it is used by AGP that builds the app, no impact on app"
author	David Göransson <david.goransson@mullvad.net>	2026-04-21 09:15:21 +0200
committer	David Göransson <david.goransson@mullvad.net>	2026-04-21 15:01:24 +0200
commit	8716fdf3f18a2a822f4d5e7817812d2bd76858b1 (patch)
tree	d8318b0ee79a3bc84e65191f8866ffcdbb5dcb8c
parent	b74cab07ceb186da2db38461cfdf0696cf36e594 (diff)
download	mullvadvpn-8716fdf3f18a2a822f4d5e7817812d2bd76858b1.tar.xz mullvadvpn-8716fdf3f18a2a822f4d5e7817812d2bd76858b1.zip