Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported DataCenterInfo.name values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the Netflix data center type before deploying Steeltoe Eureka clients.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <4.2.0,<3.4.0
Patches
Vulnerability mechanics
Root cause
"DataCenterInfo.FromJson throws an unhandled exception for any name other than "MyOwn" or "Amazon", despite the Java Eureka specification defining "Netflix" as a third valid value, causing the exception to propagate through the deserialization chain and permanently corrupt the local service registry."
Attack vector
An attacker who can control or influence the `DataCenterInfo.name` field in a Eureka instance registration — for example, by registering a malicious service instance with `name` set to `"Netflix"` — triggers an unhandled `ArgumentException` in `DataCenterInfo.FromJson` on any Steeltoe Eureka client that deserializes that registration [ref_id=1][ref_id=2]. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale [CWE-248]. In mixed Java/Spring and Steeltoe environments, the `Netflix` data center type is a standard value in the Java Eureka specification, so legitimate Java Eureka registrations can inadvertently poison the Steeltoe client's registry without any malicious intent [ref_id=1].
What the fix does
Both patches add an explicit check for the `"Netflix"` data center name in `DataCenterInfo.FromJson`, returning a valid `DataCenterInfo` object with `DataCenterName.Netflix` instead of throwing an exception [patch_id=6466813][patch_id=6466812]. For any unrecognized name, the method now returns `null` rather than throwing `ArgumentException` or `ArgumentOutOfRangeException`, which prevents the exception from propagating through the deserialization chain and corrupting the registry. The unit tests are updated accordingly: the `FromJson_Throws_Invalid` test is replaced with `FromJson_ReturnsNull_WhenInvalid`, and the `FromJson_Correct` test is parameterized to cover all three valid names (`MyOwn`, `Amazon`, `Netflix`) [patch_id=6466813][patch_id=6466812].
Preconditions
- inputThe Steeltoe Eureka client must deserialize a service registration whose DataCenterInfo.name is "Netflix" (or any unrecognized value).
- configThe Steeltoe Eureka client must be running a version prior to 4.2.0 or 3.4.0.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/SteeltoeOSS/Steeltoe/commit/b8ed8557bb595863e4f340051d16b26ba40a75f4mitrex_refsource_MISC
- github.com/SteeltoeOSS/Steeltoe/commit/c34a7399e808d0d11dd977460e81df1f2722df28mitrex_refsource_MISC
- github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-j8ph-6fxj-g533mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.