Vulnerability detected in transitive dependency `commons-fileupload:commons-fileupload` version 1.5 (CVE-2025-48976)

[aozmen121]

Vulnerability Details
CVE ID: CVE-2025-48976
Severity: High-risk (DoS vulnerability)
Component: commons-fileupload:commons-fileupload

Affected Versions:
1.0 up to (but excluding) 1.6
2.0.0-M1 up to (but excluding) 2.0.0-M4

Fixed Versions of commons-fileupload:
1.6
2.0.0-M4

Impact
The vulnerability allows for denial-of-service (DoS) attacks due to insufficient limits on resource allocation for multipart headers.

Transitive Origin
The commons-fileupload library is pulled in transitively by spring-cloud-openfeign dependencies.
Please upgrade commons-fileupload affected dependency to a safe version (≥1.6 or ≥2.0.0-M4).

Links:
https://github.com/apache/commons-fileupload/releases/tag/rel%2Fcommons-fileupload-1.6.0
https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.6.0

[aozmen121]

@OlgaMaciaszek FYI this is potentially high risk vulnerability, is it possible to push this fix to the next scheduled release please

[OlgaMaciaszek]

Hello, @aozmen121. This comes from feign-form, which is not maintained by us. Please create an issue in https://github.com/OpenFeign/feign. We will upgrade when new version becomes available. In the meantime, you can change the version locally.

[JoanaPedrosoDiconium]

Hello. Apparently they already fixed it: OpenFeign/feign#2972 is there any prediction on when this will be incorporated in spring-cloud-openfeign? Will it be included in version 4.3.0?

[OlgaMaciaszek]

We will be able to incorporate it whenever they release a version with the fix.