spring-cloud-openfeign:4.3.0 depends on archived feign-form-spring:13.6 which pulls vulnerable commons-fileupload:1.5

[ziad-saade]

Problem:

When using spring-cloud-starter-openfeign:4.3.0 (via spring-cloud-dependencies:2025.0.0), the dependency tree pulls in:

spring-cloud-starter-openfeign:4.3.0
└── spring-cloud-openfeign-core:4.3.0
└── feign-form-spring:13.6
└── commons-fileupload:1.5 ❌ (contains known CVEs)

• commons-fileupload:1.5 has reported vulnerabilities.
• feign-form-spring:13.6 declares this dependency.
• However, the Feign Form repository was archived on Dec 31, 2024 and is no longer maintained. This means the upstream project will not release a fix.

References

-Archived Feign Form repo: https://github.com/OpenFeign/feign-form
-Vulnerabilities in commons-fileupload:1.5: https://nvd.nist.gov/vuln/detail/CVE-2025-48976

[DidierLoiseau]

This appears to be a duplicate of #1221.

Moreover, the information in the description is not correct. feign-fom-spring was merged into OpenFeign/feign. I updated its groupId in #1111 – in fact release 13.6 was only published under the new one.

The dependency to commons-fileupload was actually updated in OpenFeign/feign#2956. The maintainer also indicated in OpenFeign/feign#2911 that they are planning to publish a release soon. I think the new release will depend on SB 3.5 though.