The vulnerability in Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0 involves improper input validation (CWE-20) in the DataCenterInfo.FromJson method. It throws an ArgumentException when the 'name' field contains the value "Netflix", which is valid per the Java Eureka specification but not handled by Steeltoe. This exception disrupts the registry deserialization process and is swallowed by the periodic cache refresh task, causing the local service registry to remain empty or stale indefinitely. This can lead to denial of service conditions in service discovery. The issue is patched in versions 4.2.0 and 3.4.0. As a temporary mitigation, removing unsupported 'name' values from the registry is advised, and auditing for the 'Netflix' data center type is recommended in mixed environments.

The vulnerability causes the local service registry to become permanently empty or stale due to unhandled exceptions during registry deserialization. This results in a denial of service impact on service discovery functionality, potentially disrupting cloud-native applications relying on Steeltoe.Discovery.Eureka for service registration and discovery. There is no confidentiality or integrity impact reported.

A fix is available in Steeltoe.Discovery.Eureka versions 4.2.0 and 3.4.0. Upgrading to these versions is the recommended remediation. If immediate upgrade is not feasible, remove any registry entries using unsupported DataCenterInfo.name values such as "Netflix". Additionally, audit for the presence of the "Netflix" data center type in mixed Java/Spring and Steeltoe environments before deploying Steeltoe Eureka clients to prevent triggering this issue.