spring-cloud-openfeign icon indicating copy to clipboard operation
spring-cloud-openfeign copied to clipboard
verified publisher icon spring-cloud

spring-cloud-openfeign:4.3.0 depends on archived feign-form-spring:13.6 which pulls vulnerable commons-fileupload:1.5

Open ziad-saade opened this issue 4 months ago • 1 comments

Problem:

When using spring-cloud-starter-openfeign:4.3.0 (via spring-cloud-dependencies:2025.0.0), the dependency tree pulls in:

spring-cloud-starter-openfeign:4.3.0 └── spring-cloud-openfeign-core:4.3.0 └── feign-form-spring:13.6 └── commons-fileupload:1.5 ❌ (contains known CVEs)

  • commons-fileupload:1.5 has reported vulnerabilities.
  • feign-form-spring:13.6 declares this dependency.
  • However, the Feign Form repository was archived on Dec 31, 2024 and is no longer maintained. This means the upstream project will not release a fix.

References

-Archived Feign Form repo: https://github.com/OpenFeign/feign-form -Vulnerabilities in commons-fileupload:1.5: https://nvd.nist.gov/vuln/detail/CVE-2025-48976

ziad-saade avatar Sep 27 '25 03:09 ziad-saade

This appears to be a duplicate of #1221.

Moreover, the information in the description is not correct. feign-fom-spring was merged into OpenFeign/feign. I updated its groupId in #1111 – in fact release 13.6 was only published under the new one.

The dependency to commons-fileupload was actually updated in OpenFeign/feign#2956. The maintainer also indicated in OpenFeign/feign#2911 that they are planning to publish a release soon. I think the new release will depend on SB 3.5 though.

DidierLoiseau avatar Oct 20 '25 15:10 DidierLoiseau