{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/steeltoe.discovery.eureka-vulnerable--3.3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-50196"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Steeltoe.Discovery.Eureka (vulnerable: \u003e= 4.0.0, \u003c= 4.1.0)","Steeltoe.Discovery.Eureka (vulnerable: \u003c= 3.3.0)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","service-discovery",".net","java","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Steeltoe"],"content_html":"\u003cp\u003eThe Steeltoe.Discovery.Eureka client contains a critical vulnerability, identified as CVE-2026-50196, that can lead to a complete service discovery outage. The flaw resides in the \u003ccode\u003eDataCenterInfo.FromJson\u003c/code\u003e method, which is responsible for deserializing service registry information. This method incorrectly throws an \u003ccode\u003eArgumentException\u003c/code\u003e when it encounters any \u003ccode\u003eDataCenterInfo.name\u003c/code\u003e value other than \u0026quot;MyOwn\u0026quot; or \u0026quot;Amazon\u0026quot;. Crucially, the valid \u0026quot;Netflix\u0026quot; value, specified in the Java Eureka standard, is unrecognized. This exception propagates through the entire registry deserialization chain and is silently swallowed by the client's periodic cache refresh task. Consequently, the Steeltoe client's local service registry remains permanently empty or stale, severing its ability to perform service lookups. This issue affects versions \u003ccode\u003e\u0026gt;= 4.0.0, \u0026lt;= 4.1.0\u003c/code\u003e and versions \u003ccode\u003e\u0026lt;= 3.3.0\u003c/code\u003e of the \u003ccode\u003enuget/Steeltoe.Discovery.Eureka\u003c/code\u003e package. It matters for defenders because a single, legitimate registration by a Java or Spring service in a mixed environment can inadvertently trigger a widespread denial of service for all Steeltoe clients.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate non-Steeltoe Eureka client (e.g., a Java or Spring Boot application) registers itself with a Eureka server.\u003c/li\u003e\n\u003cli\u003eThe registering client sends its \u003ccode\u003eDataCenterInfo.name\u003c/code\u003e as \u0026quot;Netflix\u0026quot;, which is a valid value according to the Java Eureka specification.\u003c/li\u003e\n\u003cli\u003eA Steeltoe Eureka client (using the vulnerable \u003ccode\u003eSteeltoe.Discovery.Eureka\u003c/code\u003e package) attempts to fetch the full service registry from the Eureka server via an HTTP GET request.\u003c/li\u003e\n\u003cli\u003eDuring the internal deserialization process of the fetched registry data, the Steeltoe client's \u003ccode\u003eDataCenterInfo.FromJson\u003c/code\u003e method encounters the \u0026quot;Netflix\u0026quot; value for \u003ccode\u003eDataCenterInfo.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDataCenterInfo.FromJson\u003c/code\u003e method, which only recognizes \u0026quot;MyOwn\u0026quot; or \u0026quot;Amazon\u0026quot; as valid names, incorrectly throws an \u003ccode\u003eArgumentException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis \u003ccode\u003eArgumentException\u003c/code\u003e propagates through the registry fetch process and is subsequently swallowed by the Steeltoe client's periodic cache refresh task.\u003c/li\u003e\n\u003cli\u003eThe Steeltoe client's local service registry cache fails to populate or update, leading to a persistent empty or stale state.\u003c/li\u003e\n\u003cli\u003eImpact: All services relying on this Steeltoe client for service discovery experience a complete outage due to the inability to resolve service lookups, which persists until the triggering registration is removed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability results in a complete and persistent service discovery outage for all Steeltoe Eureka clients connected to the affected registry. New clients will start with an empty service registry, while running clients will cease to refresh their local cache, effectively rendering them unable to locate or communicate with other services. This outage is triggered by the presence of a single registration with an unrecognized \u003ccode\u003eDataCenterInfo.name\u003c/code\u003e (such as \u0026quot;Netflix\u0026quot;, which is valid in Java Eureka). It can be inadvertently caused by legitimate Java or Spring services in a mixed environment, leading to widespread unavailability across microservice architectures until the problematic registration is manually removed from the Eureka server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize upgrading all instances of \u003ccode\u003eSteeltoe.Discovery.Eureka\u003c/code\u003e to a patched version that addresses CVE-2026-50196.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, audit your Eureka registry for any registrations using \u003ccode\u003eDataCenterInfo.name\u003c/code\u003e values other than \u0026quot;MyOwn\u0026quot; or \u0026quot;Amazon\u0026quot;, specifically \u0026quot;Netflix\u0026quot;, and remove them.\u003c/li\u003e\n\u003cli\u003eIn environments with mixed Java/Spring and Steeltoe Eureka clients, proactively audit for the presence of the \u003ccode\u003eNetflix\u003c/code\u003e data center type before deploying Steeltoe Eureka clients to prevent CVE-2026-50196 from being triggered.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:23:15Z","date_published":"2026-07-03T11:23:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-steeltoe-eureka-deserialization-dos/","summary":"The Steeltoe.Discovery.Eureka client contains a vulnerability (CVE-2026-50196) where its `DataCenterInfo.FromJson` method throws an `ArgumentException` if a `DataCenterInfo.name` value other than 'MyOwn' or 'Amazon' is encountered, specifically missing the valid 'Netflix' value from the Java Eureka specification, which causes the local service registry to become permanently empty or stale, leading to a complete service discovery outage for all connected Steeltoe Eureka clients.","title":"Steeltoe.Discovery.Eureka Deserialization Denial-of-Service (CVE-2026-50196)","url":"https://feed.craftedsignal.io/briefs/2026-07-steeltoe-eureka-deserialization-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Steeltoe.Discovery.Eureka (Vulnerable: \u003c= 3.3.0)","version":"https://jsonfeed.org/version/1.1"}