All Google Guava CVEs — Complete Vulnerability History
Guava is Google's core Java libraries collection. CVEs are rare given how widely it's used. The main CVE is a path traversal in Files.createTempDir() on Linux.
Java/Maven
Millions weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-10237 | 2018 | MEDIUM | DoS via ReDoS in Splitter.on | Fixed 24.1.1-jre |
| CVE-2023-2976 | 2023 | HIGH | Path traversal via Files.createTempDir() on Linux | Fixed 32.0.0-jre |
Current safe version: 33.1.0-jre
# Before
"guava.version>31.0-jre# After"guava.version>33.1.0-jreThen run:
mvn dependency:resolvePaste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does CVE-2023-2976 affect all Guava users?Only applications that use Files.createTempDir() on Linux. The method creates a directory in /tmp that is world-readable — any user on the system can read files in it. Replace with Files.createTempDirectory() from Java NIO with appropriate permissions.Is Guava safe for production use?Yes — Guava has an excellent maintenance record and very few CVEs for a library of its size and age. Keep it updated and avoid the deprecated methods the CVEs flag.Related