Spring Security Advisories

CVE-2016-4977 Remote Code Execution (RCE) in Spring Security OAuth

HIGH | JULY 05, 2016 | CVE-2016-4977


When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Affected Spring Products and Versions

  • 2.0.0 to 2.0.9
  • 1.0.0 to 1.0.5


Users of affected versions should apply the following mitigation:

  • Users of 1.0.x should not use whitelabel views for approval and error pages
  • Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later


This issue was found by David Vieira-Kurz (@secalert) and reported by Oliver Schoenherr on behalf of Immobilien Scout GmbH.


  • 2016-Jul-05: Initial vulnerability report published
  • 2016-Aug-30: Update credit

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all