Skip to content

Update feign.version to 13.10 in pom.xml#1341

Closed
AhsanSheraz wants to merge 1 commit intospring-cloud:mainfrom
AhsanSheraz:fix/update-sping-cloud-openfeign-version
Closed

Update feign.version to 13.10 in pom.xml#1341
AhsanSheraz wants to merge 1 commit intospring-cloud:mainfrom
AhsanSheraz:fix/update-sping-cloud-openfeign-version

Conversation

@AhsanSheraz
Copy link

@AhsanSheraz AhsanSheraz commented Mar 17, 2026
edited
Loading

This PR updates <feign.version> to 13.10.

Reason: the current dependency chain pulls commons-fileupload:1.5 transitively through feign-form-spring, which is affected by CVE-2025-48976 (HIGH). The fixed version is 1.6.0.

Dependency path:

spring-cloud-openfeign-core
 -> feign-form-spring
 -> commons-fileupload:1.5

Updating the managed OpenFeign version fixes this in the dependency management layer and avoids requiring downstream consumers to override commons-fileupload directly.

I also validated the changes locally & all passed successfully against multiple JDK versions below:

  • Java 17
  • Java 21
  • Java 25

Fixes #1342

@ahsansheraz-bonial
Update feign.version to 13.10 in pom.xml
f8d74b8 
Signed-off-by: ahsan.sheraz <ahsan.sheraz@bonial.com>
@AhsanSheraz AhsanSheraz force-pushed the fix/update-sping-cloud-openfeign-version branch from ecdb55e to f8d74b8 Compare March 17, 2026 21:18
@AhsanSheraz AhsanSheraz mentioned this pull request Mar 17, 2026
Closed
@AhsanSheraz AhsanSheraz marked this pull request as ready for review March 17, 2026 21:36
@ryanjbaxter
Copy link
Contributor

ryanjbaxter commented Mar 17, 2026

We can only upgrade patches for our dependencies on this branch

@AhsanSheraz
Copy link
Author

AhsanSheraz commented Mar 17, 2026
edited
Loading

We can only upgrade patches for our dependencies on this branch

@ryanjbaxter Any plans to fix high CVE's coming from commons-fileupload:1.5? Or should we migrate to https://docs.spring.io/spring-framework/reference/integration/rest-clients.html#rest-http-service-client

@ryanjbaxter
Copy link
Contributor

ryanjbaxter commented Mar 17, 2026

The CVE is already addressed in the version we are using according to openfeign https://github.com/OpenFeign/feign/releases/tag/13.6.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

waiting-for-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade managed OpenFeign version to resolve transitive commons-fileupload vulnerability

4 participants

@AhsanSheraz @ryanjbaxter @spring-cloud-issues @ahsansheraz-bonial