Skip to content

bump commons-fileupload to fix CVE-2025-48976 (form-spring)#2956

Merged
velo merged 1 commit intoOpenFeign:masterfrom
DRoppelt:master
Aug 14, 2025
Merged

bump commons-fileupload to fix CVE-2025-48976 (form-spring)#2956
velo merged 1 commit intoOpenFeign:masterfrom
DRoppelt:master

Conversation

@DRoppelt
Copy link
Contributor

@DRoppelt DRoppelt commented Jul 18, 2025

fixes GHSA-vv7r-c36w-3prj

It does not seem like form-spring would be affected, but this would fix any of the dumb auditing tools that only look for the presence of libs

@DRoppelt DRoppelt changed the title bump commons-fileupload to fix CVE-2025-48976 bump commons-fileupload to fix CVE-2025-48976 (form-spring) Jul 18, 2025
@DRoppelt
Copy link
Contributor Author

DRoppelt commented Jul 23, 2025

duplicate of #2940

@DRoppelt DRoppelt mentioned this pull request Aug 12, 2025
Closed
@DRoppelt
Copy link
Contributor Author

DRoppelt commented Aug 13, 2025
edited
Loading

feign-vertx appears to be crunchy, https://app.circleci.com/pipelines/github/OpenFeign/feign/3980/workflows/39943145-aa46-4d8d-ab39-e95da93e0181/jobs/9602 failed where https://app.circleci.com/pipelines/github/OpenFeign/feign/3981/workflows/d64c1fae-3704-4898-9abe-4f05b44c6f2d/jobs/9604 was a re-run done via a squash of two commits

[feign-vertx] [ERROR] Errors: 
[feign-vertx] [ERROR]   TimeoutHandlingTest.whenTimeoutIsNotReached(VertxTestContext) » NoStackTraceTimeout The timeout period of 1000ms has been exceeded while executing GET /icecream/flavors for server localhost:43411
[feign-vertx] [INFO] 
[feign-vertx] [ERROR] Tests run: 25, Failures: 0, Errors: 1, Skipped: 2
[feign-vertx] [INFO]

Also, bump from commons-fileupload 1.5 to 1.6.0 caused moditect to fail, other modules ignore it too, doing it here as well
the skip property ignores this error
[ERROR] Failed to execute goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info (add-module-infos) on project feign-form-spring: Execution add-module-infos of goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info failed: Module portlet.api not found, required by org.apache.commons.fileupload

I tried to configure/tweak moditect-maven-plugin, but found what the plugin does or what kind of config is required confusing and gave up. It sounds like a "form-spring requires portlet.api, because of commons-fileupload" (duh), the plugin docs were not straight forward to declare that module-requirement

@DRoppelt
bump commons-fileupload to fix CVE-2025-48976
6f9a4c4 
bump from commons-fileupload 1.5 to 1.6.0 caused moditect to fail, other modules ignore it too, doing it here as well
ignores:
 [ERROR] Failed to execute goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info (add-module-infos) on project feign-form-spring: Execution add-module-infos of goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info failed: Module portlet.api not found, required by org.apache.commons.fileupload
velo
velo reviewed Aug 14, 2025
View reviewed changes
form-spring/pom.xml

<properties>
<main.java.version>17</main.java.version>
<moditect.skip>true</moditect.skip>
Copy link
Member

@velo velo Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm so tempted to remove moditect

@velo velo merged commit afb1f76 into OpenFeign:master Aug 14, 2025
3 checks passed
This was referenced Oct 20, 2025
Closed
Closed
@maxl2287
Copy link

maxl2287 commented Feb 20, 2026

@velo is it possible to bump this commit / PR into an own Patch release 13.6.1?
So that spring-cloud could add this as a patch release in their next release?

@velo
Copy link
Member

velo commented Feb 20, 2026

🤖 Claude Bot — A patch release 13.6.1 has been created and published to Maven Central.

Release: https://github.com/OpenFeign/feign/releases/tag/13.6.1

This includes the commons-fileupload bump from this PR.

@maxl2287
Copy link

maxl2287 commented Feb 20, 2026

🤖 Claude Bot — A patch release 13.6.1 has been created and published to Maven Central.

Release: https://github.com/OpenFeign/feign/releases/tag/13.6.1

This includes the commons-fileupload bump from this PR.

@velo i Saw that the Build failed. 🤔

@iProdigy
Copy link
Contributor

iProdigy commented Feb 20, 2026

@velo i Saw that the Build failed. 🤔

Looks published on maven https://repo1.maven.org/maven2/io/github/openfeign/feign-form-spring/13.6.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@velo velo velo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DRoppelt @maxl2287 @velo @iProdigy