Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Steeltoe.Discovery.Eureka parses service registration entries using DataCenterInfo.FromJson. The parser accepts only the names 'MyOwn' or 'Amazon'; any other value, such as the spec‑defined 'Netflix', triggers an ArgumentException. That exception propagates through the registry deserialization chain and is swallowed by the periodic cache refresh task, which leaves the local service registry permanently empty or stale. Consequently, applications that rely on service discovery cannot locate required services, leading to failures or outages.

Affected Systems

The flaw affects Steeltoe OSS Steeltoe.Discovery.Eureka packages earlier than version 4.2.0 for the .NET ecosystem and earlier than 3.4.0 for other platforms. Environment components that register services using unsupported "DataCenterInfo.name" values, notably "Netflix", within mixed Java/Spring and Steeltoe deployments, are vulnerable. Patching to version 4.2.0 or 3.4.0 removes the issue.

Risk and Exploitability

The CVSS score of 7.5 categorizes the vulnerability as high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not currently listed in CISA’s KEV catalog. An attacker can trigger the denial of service by ensuring that a service registration contains an unsupported "DataCenterInfo.name"; the resulting deserialization error causes the client’s cache refresh routine to corrupt the registry, halting service discovery. The attack vector is likely to be through the registration API or a malicious service provider, and the impact is confined to service discovery failures, though it can cascade to higher‑level application outages.

Generated by OpenCVE AI on June 18, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Steeltoe.Discovery.Eureka to version 4.2.0 or 3.4.0, depending on your platform.
  • If an upgrade cannot be performed immediately, delete all service registrations that contain a "DataCenterInfo.name" other than "MyOwn" or "Amazon" from your Eureka registry to prevent deserialization failures.
  • Audit and verify that no Steeltoe clients in mixed Java/Spring environments register services with the DataCenterInfo.name "Netflix" before deployment.

Generated by OpenCVE AI on June 18, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j8ph-6fxj-g533 Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Steeltoeoss
Steeltoeoss steeltoe.discovery.eureka
Vendors & Products Steeltoeoss
Steeltoeoss steeltoe.discovery.eureka

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.
Title Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Weaknesses CWE-20
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Steeltoeoss Steeltoe.discovery.eureka
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:54:17.665Z

Reserved: 2026-06-03T22:05:13.645Z

Link: CVE-2026-50196

cve-icon Vulnrichment

Updated: 2026-06-18T13:49:07.094Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:56Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-400

    Uncontrolled Resource Consumption