Spring Security Advisories

CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

MEDIUM | JUNE 14, 2018 | CVE-2018-11039


Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Affected Spring Products and Versions

  • Spring Framework 5.0 to 5.0.6
  • Spring Framework 4.3 to 4.3.17
  • Older unsupported versions are also affected


Users of affected versions should apply the following mitigation:

  • 5.0.x users should upgrade to 5.0.7
  • 4.3.x users should upgrade to 4.3.18
  • Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

This attack applies to applications that:

  • Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot)
  • Allow HTTP TRACE requests to be handled by the application server

This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.


This issue was identified and reported by Mariusz Łuciów, Ocado Technology.


  • 2018-06-14: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all