Spring Security Advisories

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

CRITICAL | SEPTEMBER 21, 2017 | CVE-2017-8046


Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.

Affected Spring Products and Versions

  • Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)
  • Spring Boot (if Spring Data REST module is used) versions prior to 1.5.9, 2.0 M6


Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:<ul><li>Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)</li><li>Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)</li><li>Spring Boot 1.5.9 (Oct, 28th 2017)</li><li>Spring Boot 2.0 M6 (Nov. 6th 2017)</li></ul>


This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.


  • 2017-09-21: Initial vulnerability report published
  • 2018-03-06: Corrected affected and fixed versions

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all