You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Root cause: Schema.defaultValue() annotation attribute default changed from "" to "##default" in 2.2.44, but setDefaultSchema() has no null guard. When annotations compiled against 2.2.43 are synthesized at runtime via Spring MergedAnnotations, defaultValue() can return null instead of the new sentinel, bypassing the !DEFAULT_SENTINEL.equals(schema.defaultValue()) guard and causing NPE at line 931 in AnnotationUtils.
// Current (buggy):StringdefaultValue = schema.defaultValue().trim();
// Fix:StringrawDefault = schema.defaultValue();
if (rawDefault == null) return;
StringdefaultValue = rawDefault.trim();
Trigger: Any @Parameter with array = @ArraySchema(...) on a method compiled against 2.2.43 annotations, processed by springdoc 2.8.x at runtime
Workaround: Keep swagger-annotations-jakarta aligned with what springdoc manages (2.2.43)
Steps to Reproduce
Have a multi-module Maven project where module A (a library) is compiled against swagger-annotations-jakarta 2.2.43 and defines a method parameter annotated with @Parameter(array = @ArraySchema(schema = @Schema(...))) — either directly or via a meta-annotation.
Module B (the application) depends on module A and on springdoc-openapi-starter-webmvc-ui 2.8.x, which transitively pulls in swagger-core-jakarta 2.2.44 (e.g. by overriding the
version springdoc manages).
Start the Spring Boot application and call the /v3/api-docs or /v3/api-docs.yaml endpoint.
Expected Behavior
The OpenAPI documentation endpoint returns 200 OK with a valid schema.
Actual Behavior
The endpoint returns 500 Internal Server Error. The following exception is thrown during schema generation:
java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "io.swagger.v3.oas.annotations.media.Schema.defaultValue()" is null
at io.swagger.v3.core.util.AnnotationsUtils.setDefaultSchema(AnnotationsUtils.java:931)
at io.swagger.v3.core.util.AnnotationsUtils.getSchemaFromAnnotation(AnnotationsUtils.java:784)
at io.swagger.v3.core.util.AnnotationsUtils.getSchemaFromAnnotation(AnnotationsUtils.java:623)
at io.swagger.v3.core.util.AnnotationsUtils.getSchemaFromAnnotation(AnnotationsUtils.java:614)
at io.swagger.v3.core.util.AnnotationsUtils.getSchemaFromAnnotation(AnnotationsUtils.java:606)
at io.swagger.v3.core.util.AnnotationsUtils.getSchema(AnnotationsUtils.java:1877)
at org.springdoc.core.service.GenericParameterService.setSchema(GenericParameterService.java:358)
at org.springdoc.core.service.GenericParameterService.buildParameterFromDoc(GenericParameterService.java:310)
at org.springdoc.core.service.AbstractRequestService.build(AbstractRequestService.java:342)
at org.springdoc.api.AbstractOpenApiResource.calculatePath(AbstractOpenApiResource.java:636)
Logs / Stack Traces
See above.
Additional Context
springdoc-openapi 2.8.16 manages swagger-core-jakarta at 2.2.43 (declared as swagger-api.version in its parent BOM). If a downstream project or library overrides this to 2.2.44 —
even just for swagger-annotations-jakarta — the mismatch triggers the NPE.
The call path that hits the bug is in GenericParameterService.setSchema() (springdoc 2.8.16, line 358): when schema == null and parameterDoc.array() != null, springdoc calls AnnotationsUtils.getSchema(parameterDoc.schema(), parameterDoc.array(), true, ...). The parameterDoc.schema() here is the default @Schema() nested inside @Parameter. When Spring
synthesizes this annotation from a class compiled against 2.2.43, defaultValue() returns null rather than "##default", bypassing the DEFAULT_SENTINEL guard introduced in 2.2.44.
Description of the problem/issue
swagger-core-jakarta2.2.44Schema.defaultValue()annotation attribute default changed from""to"##default"in 2.2.44, butsetDefaultSchema()has no null guard. When annotations compiled against 2.2.43 are synthesized at runtime via Spring MergedAnnotations,defaultValue()can returnnullinstead of the new sentinel, bypassing the!DEFAULT_SENTINEL.equals(schema.defaultValue())guard and causing NPE at line 931 inAnnotationUtils.@Parameterwitharray = @ArraySchema(...)on a method compiled against 2.2.43 annotations, processed by springdoc 2.8.x at runtimeswagger-annotations-jakartaaligned with whatspringdocmanages (2.2.43)Steps to Reproduce
swagger-annotations-jakarta2.2.43 and defines a method parameter annotated with@Parameter(array = @ArraySchema(schema = @Schema(...)))— either directly or via a meta-annotation.springdoc-openapi-starter-webmvc-ui2.8.x, which transitively pulls inswagger-core-jakarta 2.2.44(e.g. by overriding theversion springdoc manages).
/v3/api-docsor/v3/api-docs.yamlendpoint.Expected Behavior
The OpenAPI documentation endpoint returns 200 OK with a valid schema.
Actual Behavior
The endpoint returns 500 Internal Server Error. The following exception is thrown during schema generation:
Logs / Stack Traces
See above.
Additional Context
springdoc-openapi2.8.16 managesswagger-core-jakartaat 2.2.43 (declared asswagger-api.versionin its parent BOM). If a downstream project or library overrides this to 2.2.44 —even just for
swagger-annotations-jakarta— the mismatch triggers the NPE.GenericParameterService.setSchema()(springdoc 2.8.16, line 358): whenschema == nullandparameterDoc.array() != null, springdoc callsAnnotationsUtils.getSchema(parameterDoc.schema(), parameterDoc.array(), true, ...). TheparameterDoc.schema()here is the default@Schema()nested inside@Parameter. When Springsynthesizes this annotation from a class compiled against 2.2.43,
defaultValue()returnsnullrather than"##default", bypassing theDEFAULT_SENTINELguard introduced in 2.2.44.##defaultleaks case (version 2.2.44 and 2.2.45):@Parameter+@ArraySchema#5086Checklist