Ziad Saade

spring-cloud-starter-netflix-eureka-client:4.1 has vulnerability with dependency woodstox-core:6.2.1

1

 woodstox-core 6.2.1 has vulnerability:  to fix the issue upgrade to woodstox-core 6.4.0

spring-cloud-starter-netflix-eureka-client:4.3.0 has vulnerability with dependency httpclient:4.5.3

2

 httpclient:4.5.3 has vulnerability:  https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.3 to fix the issue upgrade to httpclient:4.5.14 @OlgaMaciaszek

spring-cloud-starter-netflix-eureka-client:4.3.0 has vulnerability with dependency commons-configuration:1.10

4

 commons-configuration:1.10 has vulnerabilities:  https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 to fix the issue upgrade to commons-configuration2:2.12.0 @OlgaMaciaszek

spring-cloud-openfeign:4.3.0 depends on archived feign-form-spring:13.6 which pulls vulnerable commons-fileupload:1.5

1

**Problem:** When using spring-cloud-starter-openfeign:4.3.0 (via spring-cloud-dependencies:2025.0.0), the dependency tree pulls in: spring-cloud-starter-openfeign:4.3.0 └── spring-cloud-openfeign-core:4.3.0 └── feign-form-spring:13.6 └── commons-fileupload:1.5 ❌ (contains known CVEs) - commons-fileupload:1.5 has reported vulnerabilities. - feign-form-spring:13.6 declares...