Description

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. A remote attacker may supply crafted addressing headers that cause the server to connect to internal-only hosts, cloud metadata endpoints, or other sensitive destinations (SSRF).

This issue only affects deployments where all the following are true:

• An AbstractAddressingEndpointMapping subclass is registered with one or more WebServiceMessageSender instances configured for out-of-band replies.
• The service accepts WS-Addressing headers (wsa:ReplyTo / wsa:FaultTo) from untrusted callers.
• No restrictive destination validator or equivalent network-level egress control is in place.

Affected Spring Products and Versions

Spring Web Services:

• 5.0.0 - 5.0.1
• 4.1.0 - 4.1.3
• 4.0.0 - 4.0.18
• 3.1.0 - 3.1.8

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

If you cannot upgrade, you can restrict the destinations that each configured sender accepts by overriding its supports method. For example, to allowlist specific JMS destination names:

class SafeJmsMessageSender extends JmsMessageSender {
    @Override
    public boolean supports(URI uri) {
        return super.supports(uri) &&
                isAllowedDestination(JmsTransportUtils.getDestinationName(uri));
    }

	private boolean isAllowedDestination(String destinationName) {
        // Return true only for known-safe destination names
    }
}

Apply the same pattern to any other configured sender types, such as HttpUrlConnectionMessageSender, MailMessageSender, etc.

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N&version=3.1

History

• 2026-06-10: Initial vulnerability report published.