Spring Cloud GCP uses google-cloud-bom for the common dependencies. We have recently turned on Snyk vulnerability detection, and it found a deserialization issue with Guava 20.0.
The recommended remediation step is to upgrade to 24.1.1 or higher.

Would it be possible to upgrade Guava version in google-cloud-clients POM?

Spring Cloud GCP tracking issue: spring-attic/spring-cloud-gcp#1207