While updating from Spring Boot 3.3 and Spring Cloud 2023.0.6 (spring-cloud-starter-netflix-eureka-client 4.1.6 respectively) to Spring Boot 3.5 and Spring Cloud 2025.0.0 (spring-cloud-starter-netflix-eureka-client 4.3.0 respectively) I noticed that a new CVE warning popped up caused by guava 14.0.1.
This guava version has actually multiple security issues: https://mvnrepository.com/artifact/com.google.guava/guava/14.0.1
In 4.1.6 there is a dependency to eureka-core which brings in a much newer version of guava:
But that eureka-core dependency was removed via b53540ef4736d8bcc02e11294f1b1a6b16e75bf8 which also means that 4.2.x is affected as well.
Btw, I've also cross-checked via ./mvnw dependency:tree -f spring-cloud-starter-netflix-eureka-client | grep -P 'guava|$' on main and the various tags involved.