Description

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences
• the application serves static resources with Spring resource handling
…

Description

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected Spring Products and Versions

Reactor…

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is…

Description

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.

Affected Spring Products and Versions

Spring Cloud Gateway Server:

• 2.2.10.RELEASE - 4.2.2, 4.3.0-{M1, M2, RC1}

Spring Cloud Gateway Server MVC:

Description

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.

Your application may be affected by this if the following are true:

1. You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
2. You have Spring Security method annotations on a private method
…

Description

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.

Affected…

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

• You use Spring Security
• EndpointRequest.to() has been used in a Spring Security chain configuration
• The endpoint which EndpointRequest references is disabled or not exposed via web
• Your application handles requests to /null and this path needs protection
…

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider.

Affected Spring Products and Versions

Spring Security:

• 5.7.16 only
• 5.8.18 only
• 6.0.16 only
• 6.1.14 only
• 6.2.10 only
• 6.3.8 only
• 6.4.4 only
• Older, unsupported versions are also affected
…

Description

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault.

Your application may be affected by this if the following are true:

1. You have Spring Vault on the classpath of your Spring Cloud Config Server and
2. You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and
3. You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager…

Description

Spring Security may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.

Your application may be affected by this if the following are true:

1. You are using @EnableMethodSecurity, and
2. You have a method security annotation on a parameterized superclass, interface, or overridden method and no annotation on the target method
…