Random value property source uses a weak PRNG unsuitable for secrets

Values produced by $random.value are not suitable for use as secrets. $random.uuid is not affected. $random.int and $random.long should never be used for secrets as they are numeric values with a predictable range...

Predictable temp directory accepted without ownership verification

A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp . When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...

Default security filter chain has no authorization rule with Actuator but without Health

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: If any of the above does not apply, the application is not vulnerable...

Cassandra SSL auto-configuration disables TLS hostname verification

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra...

PID file write follows symlinks at predictable default path

When an application is configured to use ApplicationPidFileWriter , a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started...

DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

A Bootiful Podcast: A Bootiful Podcast: Dr. Venkat Subramaniam and James Ward on Intelligent Kotlin and So Much More

I am beyond thrilled that I got to co-present with two legends, Dr. Venkat Subramaniam and James Ward, at Voxxed Days Amsterdam, and even more so that they both sat down for a quick discussion with me right before that presentation. Enjoy!...

Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server...

RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker...

Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions

Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use TOCTOU race condition. An attacker with a valid one-time token can send concurrent requests to the authentication endpoint, allowing the single-use token to be...

This Week in Spring - April 21st, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! What a week it's been since we last talked. I was in Barcelona, Spain, for the amazing Spring I/O event there. It has become my favorite show, full stop. Just such an amazing experience. So many wonderful things going on there...

Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata

Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a malicious client with crafted metadata. Depending on...

Spring Office Hours Podcast: S5E13 - Community Potluck

Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this Potluck episode, Dan and DaShaun open up the floor to the community, answering your questions on Spring Boot, Spring AI, Spring Security, and whatever else is on your mind. Potluck episodes are shaped...

Unauthorized User Impersonation when Using X.509 Client Certificates

SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules

If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass...

Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers

If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication,...

Potential Security Misconfiguration when Using withIssuerLocation

When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder , it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator . This is easy to miss when using NimbusJwtDecoderwithIssuerLocation or...

User Attribute Enumeration when Using DaoAuthenticationProvider

If an application is using the UserDetailsisEnabled , isAccountNonExpired , or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider 's timing attack defense can be bypassed for users who are disabled, expired, or locked...

Static resource cache poisoning in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: When all the conditions above are met, the attacker can send malicious requests and poison the resource cache wi...

Spring Framework DoS with Multipart Temp Files in WebFlux

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space...

Denial of service in static resource handling on Windows platforms

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: When all the conditions above are met, the attacker can send malicious requests that are slow to resol...

A Bootiful Podcast: the legendary Craig Walls

Hi Spring fans! In this installment we talk to the legendary Craig Walls, author of Spring In Action , Spring AI in Action , and more!...

Spring AI Agentic Patterns (Part 7): Session API — Event-Sourced Short-Term Memory with Context Compaction

A New Session API for Spring AI — Structured, Compactable, Multi-Agent-Ready Part 7 of theSpring AI Agentic Patterns series completes the memory picture. After covering Agent Skills, AskUserQuestionTool, TodoWriteTool, Subagent Orchestration, A2A Integration, and AutoMemoryTools for long-term...

This Week in Spring - April 14th, 2026

Hi, Spring fans! ¡Hola from Barcelona, Spain! I'm at the amazing Spring I/O event, hanging out with some of the amazing Spring ecosystem developers! Life is amazing here in the warm sun of springtime. There's a lot to look at this week, so let's dive right into it! Another nice tutorial on how to...

Spring Office Hours Podcast: S5E12 - Developer Soft Skills with Arun Gupta

Join Dan Vega and DaShaun Carter for another essential update from the Spring ecosystem. In this episode, the guys are joined by DevRel and Java legend Arun Gupta to discuss a topic often overlooked but vital for career longevity: soft skills for developers. Drawing from his decades of experience...

A Bootiful Podcast: Mark Kropf on AI orchestration

Hi Spring fans! I was delighted to get a chance to sit and talk to my pal and Pivotal alum Mark Kropf about his efforts around orchestrating AI. This doesn’t have to do with the JVM or Spring, per se, but it’s an interesting discussion nonetheless...

SSL bundle configuration silently bypassed in Spring Cloud Gateway

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle , the configuration was silently ignored and the default SSL configuration was used instead...

This Week in Spring - April 7th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! It's April 7th, 2026, and I'm on the road! I started the journey for the amazing Voxxed Days Amsterdam show and am now winding my way through France. I visited Colmar, a beautiful city from which the animators on Disney's Beau...

Spring AI Agentic Patterns (Part 6): AutoMemoryTools — Persistent Agent Memory Across Sessions

File-Based Long-Term Memory for Spring AI Agents Agents are only as useful as what they remember. Spring AI's Chat Memory stores the full conversation and can persist it across restarts, but when the window fills, the oldest messages are evicted. The upcoming Session API will add recursive...

A Bootiful Podcast: Java developer advocate Ana-Maria Mihalceanu

I had a wonderful chat with Java Developer Advocate Ana-Maria Mihalceanu about Java Flight Recorder, Project Babylon, Project Panama, and so many other exciting things in the Java ecosystem...

This Week in Spring - March 31st, 2026

Hi, Spring fans! Welcome to another fun edition of This Week in Spring! I'm writing to you from beautiful Amsterdam ahead of the wonderful Voxxed Days Amsterdam event, and I'm really looking forward to it. If you're there, please come say hello! Also, be aware that I'll be speaking at the Paris J...

Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore

spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter . When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store , doKey embeds the key into a backtick-delimited Cypher...

Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching

spring-ai-bedrock-converse contains a Server-Side Request Forgery SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintend...

RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore

In RedisFilterExpressionConverter of spring-ai-redis-store , when a user-controlled string is passed as a filter value for a TAG field, stringValue inserts the value directly into the @field:VALUE RediSearch TAG block without escaping characters...

A Bootiful Podcast: Daniel Garnier-Moiroux on MCP Security

Hi Spring, AI, Spring AI, security, and Spring Security fans! In this installment I talk to the legendary Daniel-Garnier Moiroux! ai mcp security java...

This Week in Spring - March 24th, 2026

Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...

Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

When substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, it was possible to access files outside of the configured search directories. In addition, when using a source control backend, the profile parameter...

A Bootiful Podcast: Cay Horstmaan, legendary Java professor, author, lecturer

Hi, Spring fans! In this installment, we talk to the legendary Java author, professor, and Java Champion Cay Horstmann, whom you might know from classics such as "Core Java." his web site And of course even the most cursory search will land you at his books... javaone java...

Blending Chat with Rich UIs with Spring AI and MCP Apps

The way humans typically interact with AI is via a chat-style interface such as ChatGPT or Claude Desktop. In fact, the ability to converse with an AI in natural language is perhaps one of the most amazing things about this technology. It lets humans talk to computers in human terms, rather than...

This Week in Spring - March 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring , which I'm posting ahead of my keynote at the amazing JavaOne 2026 event here in sunny San Francisco, California! I love Piotr's latest post on using local AI models with LM Studio and Spring AI Did you see the ne...

A Bootiful Podcast: Spring Messaging Legend Soby Chacko

Hi, Spring fans! In this installment, we talk with the legendary Soby Chacko about Apache Kafka, Spring AI, and much more! apachekafka kafka...

This Week in Spring - March 10th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring. As I write this, I am preparing for a trip to Rust, Germany, for one of the best Java conferences in Europe: JavaLand, along with its new companion event, DevLand. It should be fun. Will you be around? If so, say hi. We have ...

This Week in Spring - March 9th, 2026

Hi Spring fans! Welcome to another rip-roaring installment of This Week in Spring! I'm writing this in an Uber en route to the airport to get to awsome Atlanta, GA, for Devnexus 2026! Who's goin'? You goin'? We - the Spring team - will be there in force! Come say hi at the boothes or come see our...

A Bootiful Podcast: Neo4j legend Jennifer Reif

Hi, Spring fans! In this installment, I talk to Jennifer Reif, developer advocate at Neo4J, about graph RAG, graph databases, GraphQL, Neo4J, Spring Data Neo4J, and more. neo4j graphRag AI artificialintelligence...

This Week in Spring - March 3rd, 2026

Hi Spring fans! Welcome to another rip-roaring installment of This Week in Spring! I'm writing this in an Uber en route to the airport to get to awsome Atlanta, GA, for Devnexus 2026! Who's goin'? You goin'? We - the Spring team - will be there in force! Come say hi at the boothes or come see our...

Moving beyond Strings in Spring Data

If you've worked with data access in Java and especially with Spring Data for a while, then you are familiar with various Query and Update programming models. You write data access code. You refactor a property name. You run your tests. They fail. Your query strings? Still pointing to the old...

A Bootiful Podcast - John Willis, author of 'Rebels of Reason'

Hi Spring fans! In this installment I sit down with DevOps legend and industry analyst extraordinaire John Willis and talk about his new book Rebels of Reason: The Long Road from Aristotle to ChatGPT and AI's Heroes Who Kept the Faith , and talk about the nature of the ecosystem, AI, the role of...

Optimizations in Spring MVC

Spring Fruits Benchmark Abstract Benchmarks are tricky to do well, and the results are often hard to interpret. This analysis attempts to go beyond a simple headline number to explore how performance varies with data set size. The results show that while results might be disappointing for a given...

This Week in Spring - February 24th, 2026

Hi, Spring fans! Welcome to another awesome and oh-so-agentic week in Spring! We've got a ton to look into, and I've got even more to prepare for next week's DevNexus event in Atlanta, GA, so let's dive right into it! Be sure to say "hi" if you're going to be there, though! You've heard of Agent...

A Bootiful Podcast: Glenn Renfro on Java and Spring community legend and my friend - on Devnexus and more

Hi, Spring fans! In this installment I talk to the amazing Glenn Renfro about Spring Batch, Spring Integration, Spring AI, and much more — plus why you should definitely register to attend the amazing Devnexus event in Atlanta, GA!...