Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22965
Vulnerable Library - spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-beans-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.3.18
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.18
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000027
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-22262
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-04-16
URL: CVE-2024-22262
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22262
Release Date: 2024-04-16
Fix Resolution: 5.3.34
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-22259
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-03-16
URL: CVE-2024-22259
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22259
Release Date: 2024-03-16
Fix Resolution: 5.3.33
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-22243
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Publish Date: 2024-02-23
URL: CVE-2024-22243
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22243
Release Date: 2024-02-23
Fix Resolution: 5.3.32
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-22118
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Publish Date: 2021-05-27
URL: CVE-2021-22118
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22118
Release Date: 2021-05-27
Fix Resolution: 5.3.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-41249
Vulnerable Libraries - spring-core-5.3.5.jar, spring-core-5.3.4.jar
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
CVE-2026-22740
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Publish Date: 2026-04-18
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution: org.springframework:spring-web:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-web:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-41242
Vulnerable Library - spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-beans-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-18
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10
CVE-2024-38828
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Publish Date: 2024-11-18
URL: CVE-2024-38828
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
CVE-2024-38809
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Publish Date: 2024-09-27
URL: CVE-2024-38809
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38809
Release Date: 2024-09-27
Fix Resolution: 5.3.38
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-22970
Vulnerable Libraries - spring-core-5.3.4.jar, spring-core-5.3.5.jar, spring-beans-5.3.4.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-beans-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-core): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
Fix Resolution (org.springframework:spring-core): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
Fix Resolution (org.springframework:spring-beans): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-22096
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-core): 5.3.12
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.12
Fix Resolution (org.springframework:spring-core): 5.3.12
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.12
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-22060
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Publish Date: 2022-01-07
URL: CVE-2021-22060
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2021-22060
Release Date: 2022-01-07
Fix Resolution (org.springframework:spring-core): 5.3.14
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.14
Fix Resolution (org.springframework:spring-core): 5.3.14
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-38820
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.4.jar (Vulnerable Library)
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
- spring-web-5.3.4.jar (Root Library)
- ❌ spring-core-5.3.5.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution: org.springframework:spring-context:6.1.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-22735
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
- ❌ spring-web-5.3.4.jar (Vulnerable Library)
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Publish Date: 2026-03-19
URL: CVE-2026-22735
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22735
Release Date: 2026-03-19
Fix Resolution: org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.3.18
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-04-16
URL: CVE-2024-22262
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22262
Release Date: 2024-04-16
Fix Resolution: 5.3.34
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-03-16
URL: CVE-2024-22259
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22259
Release Date: 2024-03-16
Fix Resolution: 5.3.33
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Publish Date: 2024-02-23
URL: CVE-2024-22243
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22243
Release Date: 2024-02-23
Fix Resolution: 5.3.32
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Publish Date: 2021-05-27
URL: CVE-2021-22118
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22118
Release Date: 2021-05-27
Fix Resolution: 5.3.7
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - spring-core-5.3.5.jar, spring-core-5.3.4.jar
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Publish Date: 2026-04-18
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution: org.springframework:spring-web:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-web:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-08-18
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Publish Date: 2024-11-18
URL: CVE-2024-38828
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Publish Date: 2024-09-27
URL: CVE-2024-38809
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38809
Release Date: 2024-09-27
Fix Resolution: 5.3.38
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - spring-core-5.3.4.jar, spring-core-5.3.5.jar, spring-beans-5.3.4.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
spring-beans-5.3.4.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-core): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
Fix Resolution (org.springframework:spring-core): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
Fix Resolution (org.springframework:spring-beans): 5.3.20
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-core): 5.3.12
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.12
Fix Resolution (org.springframework:spring-core): 5.3.12
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.12
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Publish Date: 2022-01-07
URL: CVE-2021-22060
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2021-22060
Release Date: 2022-01-07
Fix Resolution (org.springframework:spring-core): 5.3.14
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.14
Fix Resolution (org.springframework:spring-core): 5.3.14
Direct dependency fix Resolution (org.springframework:spring-web): 5.3.14
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - spring-core-5.3.4.jar, spring-web-5.3.4.jar, spring-core-5.3.5.jar
spring-core-5.3.4.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar
Dependency Hierarchy:
spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
spring-core-5.3.5.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution: org.springframework:spring-context:6.1.14
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.4.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.4/d93829e24a50ed22e781f2302680a210cac5ee84/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018
Found in base branch: main
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Publish Date: 2026-03-19
URL: CVE-2026-22735
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22735
Release Date: 2026-03-19
Fix Resolution: org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.