Spring Security Advisories

CVE-2019-11284: Reactor Netty authentication leak in redirects

MEDIUM | OCTOBER 11, 2019 | CVE-2019-11284


Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

Affected Spring Products and Versions




  • 2019-10-11: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all