Impact
Steeltoe.Discovery.Eureka parses service registration entries using DataCenterInfo.FromJson. The parser accepts only the names 'MyOwn' or 'Amazon'; any other value, such as the spec‑defined 'Netflix', triggers an ArgumentException. That exception propagates through the registry deserialization chain and is swallowed by the periodic cache refresh task, which leaves the local service registry permanently empty or stale. Consequently, applications that rely on service discovery cannot locate required services, leading to failures or outages.
Affected Systems
The flaw affects Steeltoe OSS Steeltoe.Discovery.Eureka packages earlier than version 4.2.0 for the .NET ecosystem and earlier than 3.4.0 for other platforms. Environment components that register services using unsupported "DataCenterInfo.name" values, notably "Netflix", within mixed Java/Spring and Steeltoe deployments, are vulnerable. Patching to version 4.2.0 or 3.4.0 removes the issue.
Risk and Exploitability
The CVSS score of 7.5 categorizes the vulnerability as high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not currently listed in CISA’s KEV catalog. An attacker can trigger the denial of service by ensuring that a service registration contains an unsupported "DataCenterInfo.name"; the resulting deserialization error causes the client’s cache refresh routine to corrupt the registry, halting service discovery. The attack vector is likely to be through the registration API or a malicious service provider, and the impact is confined to service discovery failures, though it can cascade to higher‑level application outages.
OpenCVE Enrichment
Github GHSA