With the last release 4 years ago and the last accepted pull request about 3 years ago, by all means it is a dead project now. It brings a High Sev CVE to the dependency graph, which is not really nice and certainly not in line with the rest of Spring Framework.
Over the weekend I will do some research on what it could be replaced with and report back.
- https://central.sonatype.com/artifact/io.github.openfeign.form/feign-form/3.8.0/versions
- https://github.com/advisories/GHSA-hfrx-6qgj-fp6c
Comment From: OlgaMaciaszek
Hello @vstoyanov, thanks for reporting the issue. That dependency is still under official maintenance by the OpenFeign team. A PR has been submitted to fix the issue. We will monitor what is happening to that PR and try to offer a workaround if necessary.
Comment From: OlgaMaciaszek
Have overridden it in Spring Cloud OpenFeign. Workaround can be removed once it's been fixed in Feign-Form.
Comment From: mgbardakov
I'm not sure if this fixes the problem. If I'm not mistaken just changing a dependency version isn't enough. https://devhub.checkmarx.com/cve-details/CVE-2023-24998/ A new config FileUploadBase#setFileCountMax should be enabled also, so I guess we still need a collaboration with OpenFeign team
Comment From: OlgaMaciaszek
Hi @mgbardakov, thanks for bringing this up, it's a good point. However, in order to verify this, I have gone through the code in feign-form that uses commons-fileupload and, actually, a lower-level API is used there only and the FileUpload API that is the entry-point for this CVE is not used, so actually, the code would not even be affected by this vulnerability with the 1.4 dep version.