On behalf of the community, I am pleased to announce that Spring Cloud OpenFeign versions 2.2.10.RELEASE, 3.0.5 and 3.1.0-M4 have been released.

These are primarily security releases with fixes for the CVE-2021-22044.

Applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level @RequestMapping on a Feign client interface has been discouraged in the documentation, but we're now taking the step to reject it completely.

These versions will be picked up later by the 2020.0.x and 2021.0.x release trains, however, we recommend you already upgrade Spring Cloud OpenFeign in your projects to these most recent versions.

See all issues included in 2.2.10.RELEASE here See all issues included in 3.1.0-M4 here No additional issues were included for 3.0.5.