Feign Vulnerability detected in transitive dependency commons-fileupload:commons-fileupload version 1.5 (CVE-2025-48976)

Vulnerability Details CVE ID: CVE-2025-48976 Severity: High-risk (DoS vulnerability) Component: commons-fileupload:commons-fileupload

Affected Versions: 1.0 up to (but excluding) 1.6 2.0.0-M1 up to (but excluding) 2.0.0-M4

Fixed Versions of commons-fileupload: 1.6 2.0.0-M4

Impact The vulnerability allows for denial-of-service (DoS) attacks due to insufficient limits on resource allocation for multipart headers.

Transitive Origin The commons-fileupload library is pulled in transitively by spring-cloud-openfeign dependencies. Please upgrade commons-fileupload affected dependency to a safe version (≥1.6 or ≥2.0.0-M4).

Links: https://github.com/apache/commons-fileupload/releases/tag/rel%2Fcommons-fileupload-1.6.0 https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.6.0

Comment From: aozmen121

@velo This issue comes from feign-form lib, would you be able to update commons-fileupload version pls

Comment From: velo

Sorry mate.

There are no PRs to fix it. Well there are, but broken build.

Comment From: anessi

PR for reference: https://github.com/OpenFeign/feign/pull/2911

Comment From: DRoppelt

or that one too https://github.com/OpenFeign/feign/pull/2956