The Spring Framework has released version 5.3.42 that contains a fix for:

• CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter

Note that open source support for Spring Framework 5.3.x and 6.0.x generations has ended last August, as announced previously. This fix has only been applied to the 5.3.42 commercial release, available now.

If you are not a commercial customer, please consider upgrading to an open source supported version at your earliest convenience.

Upgrading Your Project

Commercial customers using Spring Boot 2.7 can make use of Spring Boot Hotfix release 2.7.22.4. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.