That is good to know, and I appreciate that info. I know that making updates to libraries for reasons like this is frowned upon by developers whose time is better spent fixing actual problems. It does mean however that many users will be in a situation where a corporate tool will detect the CVE, requiring the developer to investigate so they can either explain why the CVE is a non-issue, or force them to override the dependency in their build (which I did, because that's the easiest course).
Thanks, Daniel > Mitigate what? > > Commons FileUpload doesn't use the code in Commons IO affected by CVE-2021-29425. > > Mark