Skip to content

bump commons-fileupload to fix CVE-2025-48976 (form-spring) #2956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
velo merged 1 commit into from
Aug 14, 2025
Merged

bump commons-fileupload to fix CVE-2025-48976 (form-spring) #2956

velo merged 1 commit into from
Aug 14, 2025

Conversation

@DRoppelt
Copy link
Contributor

@DRoppelt DRoppelt commented Jul 18, 2025

fixes GHSA-vv7r-c36w-3prj

It does not seem like form-spring would be affected, but this would fix any of the dumb auditing tools that only look for the presence of libs

@DRoppelt DRoppelt changed the title bump commons-fileupload to fix CVE-2025-48976 bump commons-fileupload to fix CVE-2025-48976 (form-spring) Jul 18, 2025
@DRoppelt
Copy link
Contributor Author

DRoppelt commented Jul 23, 2025

duplicate of #2940

@DRoppelt DRoppelt mentioned this pull request Aug 12, 2025
Closed
@DRoppelt
Copy link
Contributor Author

DRoppelt commented Aug 13, 2025
edited
Loading

feign-vertx appears to be crunchy, https://app.circleci.com/pipelines/github/OpenFeign/feign/3980/workflows/39943145-aa46-4d8d-ab39-e95da93e0181/jobs/9602 failed where https://app.circleci.com/pipelines/github/OpenFeign/feign/3981/workflows/d64c1fae-3704-4898-9abe-4f05b44c6f2d/jobs/9604 was a re-run done via a squash of two commits

[feign-vertx] [ERROR] Errors: 
[feign-vertx] [ERROR]   TimeoutHandlingTest.whenTimeoutIsNotReached(VertxTestContext) » NoStackTraceTimeout The timeout period of 1000ms has been exceeded while executing GET /icecream/flavors for server localhost:43411
[feign-vertx] [INFO] 
[feign-vertx] [ERROR] Tests run: 25, Failures: 0, Errors: 1, Skipped: 2
[feign-vertx] [INFO]

Also, bump from commons-fileupload 1.5 to 1.6.0 caused moditect to fail, other modules ignore it too, doing it here as well
the skip property ignores this error
[ERROR] Failed to execute goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info (add-module-infos) on project feign-form-spring: Execution add-module-infos of goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info failed: Module portlet.api not found, required by org.apache.commons.fileupload

I tried to configure/tweak moditect-maven-plugin, but found what the plugin does or what kind of config is required confusing and gave up. It sounds like a "form-spring requires portlet.api, because of commons-fileupload" (duh), the plugin docs were not straight forward to declare that module-requirement

@DRoppelt
bump commons-fileupload to fix CVE-2025-48976
6f9a4c4 
bump from commons-fileupload 1.5 to 1.6.0 caused moditect to fail, other modules ignore it too, doing it here as well
ignores:
 [ERROR] Failed to execute goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info (add-module-infos) on project feign-form-spring: Execution add-module-infos of goal org.moditect:moditect-maven-plugin:1.3.0.Final:add-module-info failed: Module portlet.api not found, required by org.apache.commons.fileupload
velo
velo reviewed Aug 14, 2025
View reviewed changes
form-spring/pom.xml

<properties>
<main.java.version>17</main.java.version>
<moditect.skip>true</moditect.skip>
Copy link
Member

@velo velo Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm so tempted to remove moditect

@velo velo merged commit afb1f76 into OpenFeign:master Aug 14, 2025
3 checks passed
This was referenced Oct 20, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@velo velo velo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DRoppelt @velo