While updating from Spring Boot 3.3 and Spring Cloud 2023.0.6 (spring-cloud-starter-netflix-eureka-client 4.1.6 respectively) to Spring Boot 3.5 and Spring Cloud 2025.0.0 (spring-cloud-starter-netflix-eureka-client 4.3.0 respectively) I noticed that a new CVE warning popped up caused by guava 14.0.1.
This guava version has actually multiple security issues: https://mvnrepository.com/artifact/com.google.guava/guava/14.0.1
In 4.1.6 there is a dependency to eureka-core which brings in a much newer version of guava:
But that eureka-core dependency was removed via b53540ef4736d8bcc02e11294f1b1a6b16e75bf8 which also means that 4.2.x is affected as well.
Btw, I've also cross-checked via ./mvnw dependency:tree -f spring-cloud-starter-netflix-eureka-client | grep -P 'guava|$' on main and the various tags involved.
Comment From: spencergibb
These aren't managed by spring-cloud-netflix.
Comment From: famod
Sure, but it's not uncommon for frameworks and platforms to manage transitive dependencies explicitly to resolve conflicts or (like in this case) mitigate CVEs, so that users/consumers don't have to do it themselves.
I don't see any activity over at https://github.com/Netflix/netflix-commons/issues/44 (see also https://github.com/Netflix/netflix-commons/issues/39). I also don't see much activity one level further up (on eureka level), e.g.: https://github.com/Netflix/eureka/issues/1539
So it would be great if spring-cloud-netflix would fill the gap.
Comment From: spencergibb
Unfortunately, guava regularly has breaking changes in releases. Your image shows that guava 14 was not included in your dependencies, and it uses guava 33.
Comment From: famod
The screenshot is from spring-cloud-starter-netflix-eureka-client 4.1.6 when there was still a dependency to eureka-core. This issue starts with 4.2 and is still present in the latest release.
Comment From: spencergibb
PRs welcome
Comment From: famod
Btw, regarding:
Unfortunately, guava regularly has breaking changes in releases.
Agreed! In my project we chose to avoid guava 33.4.x and went with 33.3.1 for now, exactly because of that.