Dependabot raised three medium-severity alerts against org.apache.logging.log4j:log4j-core (GHSA-445c-vh5m-36rj, GHSA-6hg6-v5c8-fphq, GHSA-3pxv-7cmr-fjr4 — all patched in 2.25.4).
log4j-api:2.24.3 arrives transitively on the server runtime classpath via Apache POI → kandy-lets-plot → dataframe-excel. log4j-core itself is not present, but Dependabot flags both artifacts under the same CVE umbrella since they are co-versioned in the same project. Without an explicit version constraint, the Apache POI BOM’s strict:2.24.3 pin prevents Gradle from upgrading the api artifact.
log4j2 = "2.25.4" to gradle/libs.versions.toml with an explanatory comment.allprojects { resolutionStrategy.eachDependency } rule in build.gradle.kts that floors the entire org.apache.logging.log4j group at 2.25.4. This overrides the strict pin from Apache POI’s BOM, upgrades log4j-api from 2.24.3 → 2.25.4, and pre-emptively caps log4j-core if it is ever introduced as a transitive.libs.versions.toml (version entry) + build.gradle.kts (eachDependency rule), following the same pattern used for jackson, netty, bouncycastle, gson, jose4j, and jdom2../gradlew :server:dependencyInsight --dependency log4j-api --configuration jvmRuntimeClasspath after any bump to confirm the floor is applied before opening the PR.