Vulnerability detected in transitive dependency commons-fileupload:commons-fileupload version 1.5 (CVE-2025-48976)

[aozmen121]

Vulnerability Details
CVE ID: CVE-2025-48976
Severity: High-risk (DoS vulnerability)
Component: commons-fileupload:commons-fileupload

Affected Versions:
1.0 up to (but excluding) 1.6
2.0.0-M1 up to (but excluding) 2.0.0-M4

Fixed Versions of commons-fileupload:
1.6
2.0.0-M4

Impact
The vulnerability allows for denial-of-service (DoS) attacks due to insufficient limits on resource allocation for multipart headers.

Transitive Origin
The commons-fileupload library is pulled in transitively by spring-cloud-openfeign dependencies.
Please upgrade commons-fileupload affected dependency to a safe version (≥1.6 or ≥2.0.0-M4).

Links:
https://github.com/apache/commons-fileupload/releases/tag/rel%2Fcommons-fileupload-1.6.0
https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.6.0

[aozmen121]

@velo This issue comes from feign-form lib, would you be able to update commons-fileupload version pls

[velo]

Sorry mate.

There are no PRs to fix it. Well there are, but broken build.

[anessi]

PR for reference: #2911

[DRoppelt]

or that one too #2956

[velo]

There are no PRs to fix it. Well there are, but broken build

[DRoppelt]

Ah, I thought that was just a flaky build. I adjusted it, please have a look if you like @velo #2956 (comment), PR Build now green