Spring Cloud Openfeign spring-cloud-openfeign:4.3.0 depends on archived feign-form-spring:13.6 which pulls vulnerable commons-fileupload:1.5

Problem:

When using spring-cloud-starter-openfeign:4.3.0 (via spring-cloud-dependencies:2025.0.0), the dependency tree pulls in:

spring-cloud-starter-openfeign:4.3.0 └── spring-cloud-openfeign-core:4.3.0 └── feign-form-spring:13.6 └── commons-fileupload:1.5 ❌ (contains known CVEs)

• commons-fileupload:1.5 has reported vulnerabilities.
• feign-form-spring:13.6 declares this dependency.
• However, the Feign Form repository was archived on Dec 31, 2024 and is no longer maintained. This means the upstream project will not release a fix.

References

-Archived Feign Form repo: https://github.com/OpenFeign/feign-form -Vulnerabilities in commons-fileupload:1.5: https://nvd.nist.gov/vuln/detail/CVE-2025-48976