Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreIn Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
Affected version(s) | Fix version | Availability |
---|---|---|
5.3.x | 5.3.39 | OSS |
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.39+ or 6.0+. Evaluation of user-supplied SpEL expressions should be avoided when possible; otherwise, user-supplied SpEL expressions should be evaluated with a SimpleEvaluationContext
in read-only mode. No other steps are necessary.
Releases that have fixed this issue include:
This issue was identified and responsibly reported by popko.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy