In this Slack thread (https://clojurians.slack.com/archives/C0AB48493/p1773764491417719), while trying to find out where a given vulnerable version of com.google.code.gson/gson dependency was coming from, we discovered that it was coming from com.google.javascript/closure-compiler-unshaded ("v20220502"). It seems to be included there as part of an embedded uberjar (if we understood things right). com.google.javascript/closure-compiler-unshaded is a dependency of org.clojure/clojurescript.
As we said in that thread, we are using org.clojure/clojurescript "1.11.132". But having a look at the versions included as dependencies in 1.10.x, 1.11.x and 1.12.x, we saw that all of them use either the same vulnerable version ("v20220502"), or even older versions that are also vulnerable.
As Alex Miller was also part of the thread, he suggested to post our findings in this channel, so you can consider upgrading the dependency or dependencies in question.
@iarenaza we currently depend on v20250402
@dnolen the fact is that closure-compiler-unshaded used to include gson classes like this:
closure-compiler-unshaded-v20220502.jar!/com/google/gson/Gson.class
@iarenaza since clojurescript 1.12.35, that uses v20240317, these classes are not included inside the jar anymore.