Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison

A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to...

ROOT-APP-MAVEN-CVE-2026-40972 CVE-2026-40972 in io.root.org.springframework.boot:spring-boot-devtools - Patched by Root

Root has patched CVE-2026-40972 in the io.root.org.springframework.boot:spring-boot-devtools package for Root:Maven. Multiple fixed versions available...

ai.hyacinth.framework:core-service-admin-server (=0.5.24), ai.hyacinth.framework:core-service-config-server (=0.5.24) +849 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=1.3.0.RELEASE <=2.7.3)

org.springframework.boot:spring-boot-devtools MAVEN version =1.3.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =1.0.0, =0.0.2, =0.0.3, =1.0.0, =1.0.5 - br.com.m4rc310:br-com-m4rc310-graphql =1.0.1 and more Source cves: CVE-2026-40972 Source...

com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (=3.0.7), com.okta.spring.examples:okta-spring-boot-redirect-code-flow-example (=3.0.7) +21 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.3.0 <=3.3.1)

org.springframework.boot:spring-boot-devtools MAVEN version =3.3.0, =1.6.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 - org.bremersee:common-exception-spring-boot-autoconfigure =1.1.0 - org.bremersee:common-exception-spring-boot-web-starter =1.1.0 -...

io.github.dbmdz.cudami:cudami (>=10.0.0 <=10.2.0-rc.3), io.github.gregor-poloczek.project-maintainer:project-maintainer-ui (>=0.13.0 <=0.20.0) +9 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.5.0 <=3.5.11)

org.springframework.boot:spring-boot-devtools MAVEN version =3.5.0, =10.0.0, =0.13.0, =3.2.0, =4.1.1 Source cves: CVE-2026-40972 Source advisory: OSV:GHSA-56V8-86GJ-66JP...

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

br.com.m4rc310:br-com-m4rc310-core-graphql (>=1.0.2 <=1.0.18), br.com.m4rc310:br-com-m4rc310-core-gtim (>=1.0.4 <=1.0.18) +119 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.0.0 <=3.5.11)

org.springframework.boot:spring-boot-devtools MAVEN version =3.0.0, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =1.0.2, =1.0.18, =1.0.2, =1.0.2, =1.0.11, =0.0.11, =3.0.0, =4.0.0, =4.0.0-M1 and more Source cves: CVE-2026-40972 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-16191381...

com.jayxu:demo (>=0.10.0 <=0.11.0), com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (>=3.0.9 <=3.1.0) +8 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=4.0.1 <=4.0.3)

org.springframework.boot:spring-boot-devtools MAVEN version =4.0.1, =0.10.0, =3.0.9, =3.0.9, =3.0.9, =3.0.9, =2.0.0, =2.1.1 - de.tschuehly:spring-view-component-thymeleaf =0.9.1 - io.stereov.singularity:core =1.10.6 - org.flowable:flowable-app-rest =8.0.0 - se.swedenconnect.bankid:bankid-idp =1.3...

Malicious code in spring-boot-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24c0313226e487a37c9158c78bc620c0306eb778d0aa789677c0c77811785295 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6269 Malicious code in spring-boot-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24c0313226e487a37c9158c78bc620c0306eb778d0aa789677c0c77811785295 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...