Spring Security Advisories

CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability

MEDIUM | FEBRUARY 11, 2021 | CVE-2021-22113


Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Affected Spring Products and Versions

  • Spring Cloud Netflix Zuul
    • 2.2.6 and below


Users should upgrade to 2.2.7 and higher. Releases that have fixed this issue include:

  • Spring Cloud Netflix Zuul
    • 2.2.7


This issue was identified and responsibly reported by threedr3am (threedr3am at foxmail.com).


  • 2021-02-11: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all