PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks...

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticatedAuthentication method. Specifically, an application is vulnerable if: An application...

A Bootiful Podcast: programming language archaeologist Ted Neward

Hi, Spring fans! In this installment, I talk to programming language archaeologist Ted Neward...

A Bootiful Podcast: Cloud Native Whitney Lee

Hi, Spring fans! In this installment, I talk to legendary Cloud Native Whitney Lee about cloud infrastructure, that one trick every dev must know, her new operations-centric gameshow, and more. Happy holidays to y'all!...

This Week in Spring - October 24th, 2023

Hi, Spring fans! This week I'm in Lisbon, and Porto, Portugal, ahead of the Porto Tech Hub event in Porto, and my tour bus is about to leave! So, let's dive right into it! Spring Authorization Server 1.1.3, 1.0.4 and 0.4.4 available now Spring Authorization Server 1.2.0-RC1 available now Spring...

Insertion of Sensitive Information into Log Sourced from Failed Revocation of Tokens

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token. Specifically, an application is vulnerable when all of the...

Potential Unintended Data Exposure for Resource Exposed by Spring Data REST

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

Spring Cloud Function Dos Vulnerability

In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog component of the framework. At the time of writin...

Spring Cloud Gateway Request Vulnerability

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services...

RFD Protection Bypass via jsessionid

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter...

Directory Traversal with spring-cloud-config-server

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...

CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or Spring WebFlux spring-webflux module endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not inclu...

Reactor Netty Consumes a Vulnerable Version of Netty

Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty versions prior to 4.1.42, which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks...

PlaintextPasswordEncoder authenticates encoded passwords that are null

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

Open Redirector in spring-security-oauth2

Spring Security OAuth, versions 2.3 prior to 2.3.5 , and 2.2 prior to 2.2.4 , and 2.1 prior to 2.1.4 , and 2.0 prior to 2.0.17 , and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request t...

XML External Entity Injection (XXE)

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

DoS Attack via Range Requests

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler , or starting in 5.0 when an annotated controll...

Privilege Escalation in spring-security-oauth2

Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval...

Unsafe Unzip with spring-integration-zip

spring-integration-zip , versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...

Unsafe Unzip with spring-integration-zip

spring-integration-zip , versions prior to 1.0.1, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...

Remote Code Execution with spring-security-oauth2

Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint th...

Unauthorized Access with Spring Security Method Security

Spring Security in combination with Spring Framework 5.0.5.RELEASE contain an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...

Issuer validation regression in Spring Cloud SSO Connector

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of...

Remote Code Execution with spring-messaging

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a messag...

Directory Traversal with Spring MVC on Windows

Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. When static resources are served from a file system on Windows as opposed to the classpath, or the ServletContext, a...

Spring Batch Admin vulnerable to Cross Site Request Forgery

Spring Batch Admin does not contain Cross Site Request Forgery CSRF protection, which may allow an attacker to craft a malicious site that executes requests to Spring Batch Admin...

Remote code execution in spring-amqp

In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...

Data Binding Expression Vulnerability in Spring Web Flow

This CVE addresses a second path to exploiting the same vulnerability as the one described under CVE-2017-4971 . Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e. set to “false” can be vulnerable to malicious EL...

Spring Data JPA Blind SQL Injection Vulnerability

Sort instances handed into user defined Spring Data repository query methods using manually declared JPQL queries are handed to the persistence provider as is and allow attackers to inject arbitrary JPQL into ORDER BY clauses which they might use to draw conclusions about non-exposed fields based...

Remote Code Execution (RCE) in Spring Security OAuth

When processing authorization requests using the whitelabel views, the responsetype parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for responsetype...

Remote Code Execution in Spring AMQP

The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved...

Spring Social CSRF

When authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery CSRF attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking t...

RFD Attack in Spring Framework

Under some situations, the Spring Framework is vulnerable to a Reflected File Download RFD attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the...

Insufficiently random session id in Java SockJS client

Session id generation in the Java SockJS client is not sufficiently secure and could allow a user to send messages to another user’s session. Note that this only affects users of the Java SockJS client, which generates its own session id. It does not affect browser clients even if they’re...

Directory Traversal in Spring Framework

Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running...

Access Control Bypass in Spring Security

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is...

Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and...

Blank password may bypass user authentication

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password...

Fix for XML External Entity (XXE) Injection (CVE-2013-7315) in Spring Framework was Incomplete

Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is n...

Possible XSS when using Spring MVC

The JavaScriptUtils.javaScriptEscape method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS...

XML External Entity (XXE) injection in Spring Framework

It was identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. It was subsequently discovered that this fix was incomplete CVE-2013-6429,...

XML eXternal Entity (XXE) injection in Spring Framework

The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: DOMSource, StAXSource, SAXSource and StreamSource. For a DOMSource, the XML has already been parsed by us...

CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

CVE-2026-41837: Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl...

CVE-2026-41838: Spring Framework Predictable Session ID in WebSocket Module

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules...

ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users...

This Week in Spring - April 28th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm on PTO in beautiful Santorini, Greece, catching up on some news and about to cruise the islands for some sightseeing. There's nothing quite like springtime in the Mediterranean! I couldn't dream of enjoyin...

This Week in Spring - April 21st, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! What a week it's been since we last talked. I was in Barcelona, Spain, for the amazing Spring I/O event there. It has become my favorite show, full stop. Just such an amazing experience. So many wonderful things going on there...

This Week in Spring - April 7th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! It's April 7th, 2026, and I'm on the road! I started the journey for the amazing Voxxed Days Amsterdam show and am now winding my way through France. I visited Colmar, a beautiful city from which the animators on Disney's Beau...