Spring Expression DoS Vulnerability

In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition...

Spring Cloud Gateway Code Injection Vulnerability

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host...

Spring Cloud Gateway HTTP2 Insecure TrustManager

Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates...

Directory Traversal with spring-cloud-config-server

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...

Signature Wrapping Vulnerability with spring-security-saml2-service-provider

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...

Dictionary attack with Spring Security queryable text encryptor

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

Authentication Leak On Redirect With Reactor Netty HttpClient

Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects...

DoS Via Malformed URL with Reactor Netty HTTP Server

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response...

RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from use...

Reactor Netty authentication leak in redirects

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to...

Directory Traversal with spring-cloud-config-server

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a...

Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...

XML External Entity Injection (XXE)

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Stored XSS in file upload of Spring Batch Admin

Cross-site scripting XSS vulnerability in the file upload feature of Spring Batch Admin allows a remote attacker to inject arbitrary web script or HTML via a crafted request related to the file upload functionality...

DoS Attack with XML Input

XML external entities were previously disabled with the publication of http://pivotal.io/security/cve-2013-6429 . If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid accordin...

XML External Entity (XXE) injection when using Spring MVC

When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack...

Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects...

Spring Framework Cross-site Scripting via JavaScriptUtils

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting XSS vulnerability...

Spring Framework Open Redirect in Spring MVC and WebFlux

A Spring MVC or Spring WebFlux application which configures a mapping for "/" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Spring MVC applications with the same preconditions...

Spring Framework Cross-site Scripting via JSP Form Tags

Spring MVC applications which accept user-supplied values in the cssClass , cssErrorClass , or cssStyle attributes of JSP tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability...

Spring AI Agentic Patterns (Part 6): AutoMemoryTools — Persistent Agent Memory Across Sessions

File-Based Long-Term Memory for Spring AI Agents Agents are only as useful as what they remember. Spring AI's Chat Memory stores the full conversation and can persist it across restarts, but when the window fills, the oldest messages are evicted. The upcoming Session API will add recursive...

A Bootiful Podcast: Spring Security lead Rob Winchon Spring Security 7

Hi, Spring fans! In this installment, I have the privilege of sitting down and talking to the legendary Rob Winch, lead of Spring Security, Spring Session, and the amazing Testjars project...

A Bootiful Podcast: Nate Schutta the fundamentals of software engineering

Hi Spring fans, and happy holidays! I'm delighted to be joined again on this episode by my friend and fellow harbinger of doom in the best possible way, Nate Schutta — co-author of the wonderful book Foundations of Software Engineering!...

A Bootiful Podcast: The legendary Rossen Stoyanchev on API versioning, declarative interface clients, RestTestClients, and more

Hi, Spring fans! Welcome to another installment of a Bootiful Podcast! In this installment I talk to the legendary Rossen Stoyanchev on API versioning, declarative interface clients, RestTestClients, and more!...

A Bootiful Podcast: Dan Vega on the fundamentals of software engineering

Hi, Spring fans! I'm so excited to chat with fellow Spring developer advocate Dan Vega about his new book, Fundamentals of Software Engineering...

Spring Data Ahead of Time Repositories - Part 2

Concluding the Road to GA blog post series, let's explore benefits of Spring Data AOT Repositories. Back in May 2025, we first introduced Ahead of Time AOT repositories as a preview feature for JPA and MongoDB with the 3rd Milestone of the next Spring Data generation. This feature, in short, uses...

A Bootiful Podcast: The legendary Bruce Eckel on language design, effects, abstraction, concurrency, and so much more

Hi, Spring fans! In this installment, I sit down with the legendary Bruce Eckel, who has probably forgotten more about programming languages than I will ever know, and whose book Thinking in Java helped launch me into a career...

A Bootiful Podcast: Elastic's developer advocate extraordinairre Philip Krenn on the state of logging

Hi, Spring fans! In this installment, we talk to my friend and Elastic's developer advocate extraordinairre Philip Krenn on the state of logging...

Introducing Spring AI Agents and Spring AI Bench

I'd like to introduce two new projects that are part of the Spring AI Community GitHub organization: Spring AI Agents, and Spring AI Bench. These two projects focus on using agentic coding tools—tools you likely already have in your enterprise. In 2025 AI coding agents have matured to the point...

This Week in Spring - October 28th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a wonderful tuesday here in my home town of San Francisco as I write this from my condo's balcony, fresh off more than three weeks on the road. By the time we'll speak again in a week, Halloween will have come and gone...

HTTP Service Client Enhancements

In this 3rd blog post of the Road to GA series that’s highlighting major features within the Spring portfolio for the next major versions to be released in November we’ll have a look at new features for HTTP service clients, which are a collaborative effort across several Spring projects...

A Bootiful Podcast: Spring Cloud lead Spencer Gibb, live from SpringOne 2025

Hi, Spring fans! In this installment, we talk to the legendary lead of Spring Cloud and friend to the community, Spencer Gibb! This was recorded live from Las Vegas, NV, at the fantastic SpringOne 2025 event!...

Spring Authorization Server moving to Spring Security 7.0

Spring Authorization Server has come a long way since 1.0 was officially released in November 2022. Starting as a project separate from Spring Security, has allowed it to iterate quickly on feature development and ultimately grow a rich feature set for building OAuth2 Authorization Servers. It ha...

A Bootiful Podcast: Andrew Lombardi, Beginning Spring AI co-author, and friend of the show

Hi, Spring fans! In this installment I am thrilled to talk to my longtime friend Andrew Lombardi about the latest-and-greatest, his new book Beginning Spring AI , and more...

A Bootiful Podcast: Spring Security lead Rob Winch on Spring Security 7.0, SpringOne 2025, and more

Hi, Spring fans! In this installment I'm joined by Spring Security lead Rob Winch to discuss the amazing new additions to Spring Security 7.0, coming in November of 2025, and the coverage you can expect when you see our talk at SpringOne 2025 have you registered - https://springone.io ?...

This Week in Spring - July 29th, 2025

It's the end of July! JULY! The seventh month of the year, done and dusted! AHHHHH! I've got memories of being on a tropical beach over the winter holidays, sipping rum and dodging mosquitoes like I was doing a rhythmic gymnastics routine just recently. It turns out that was seven months ago, not...

DoS via Spring MVC controller method with byte[] parameter

Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS attack...

A Bootiful Podcast: Baruch Sadogursky on Gradle, Java, developer productivity, and more

Hi, Spring fans! In this installment, I talk to legendary Gradle Developer Productivity Engineering guru formerly of JFrog and hero to the JVM-language community, Baruch Sadogursky, recorded live from Dr. Venkat Subramaniam's amazing conference, Dev2Next 2024!...

A Bootiful Podcast: GraalVM founder and BDFL Thomas Wuerthinger on GraalPy, GraalVM, and so much more

Hi, Spring fans! In this installment I talk to GraalVM founder and benevolent dictator for life Thomas Wuerthinger, recorded live from Devoxx Belgium 2024!...

Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...

From Spring Framework 6.2 to 7.0

Dear Spring community, Spring Framework 6.2 is shaping up for general availability in November 2024, with particularly significant revisions in the core container and in our web support: see "What's New in Spring Framework 6.2". This release is designed for use with JDK 17-23 and Jakarta EE 9-10...

Path traversal vulnerability in functional web frameworks

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

Security Bypass With Wildcard Pattern Matching on Cloud Foundry

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are true: NOTE:...

Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more...

Spring-AMQP Remote Denial of Service - Out of Memory Error with a Large Message Body

The Spring AMQP Message object, in its toString method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message body...

Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;user-provided data , the path elements following...

Potential Security Bypass for customized Spring Data REST Resource

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can...

Kryo Configuration Allows Code Execution with Unknown “Serialization Gadgets”

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets”

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...