Spring Security Advisories

CVE-2024-22233: Spring Framework server Web DoS Vulnerability

HIGH | JANUARY 22, 2024 | CVE-2024-22233


In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC
  • Spring Security 6.1.6+ or 6.2.1+ is on the classpath

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

Affected Spring Products and Versions

Spring Framework

  • 6.0.15
  • 6.1.2

Older versions are not affected.

Those versions are respectively being used by Spring Boot 3.1.7 and 3.2.1.


Users of affected versions should apply the following mitigation.

  • Spring Framework 6.0.15 users should upgrade to 6.0.16.
  • Spring Framework 6.1.2 users should upgrade to 6.1.3.

No other steps are necessary.


The issue was identified and responsibly reported by

  • Aleksander Blomskøld
  • LiveOverflow (hextree.io), ZetaTwo, anasbekar, zzgoon, 0xLegacyy, xyzeva, AcroTiger

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all