Description

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL (including scheme, host, and port) is stored in the cookie and is used without validation as the post-login redirect target.

An application can be vulnerable when all the following conditions are met:

• The application uses CookieRequestCache (Servlet) or CookieServerRequestCache (WebFlux) as its RequestCache implementation.
• An attacker is able to influence the value of the REDIRECT_URI cookie, for example through cookie injection via a related subdomain, an HTTP response splitting attack, or a protocol downgrade from HTTPS to HTTP.

When all the conditions above are met, an attacker may be able to cause an authenticated user to be redirected to an attacker-controlled URL immediately after a successful login, enabling phishing attacks.

Affected Spring Products and Versions

Spring Security:

• 5.7.0 - 5.7.23
• 5.8.0 - 5.8.25
• 6.3.0 - 6.3.16
• 6.4.0 - 6.4.16
• 6.5.0 - 6.5.10
• 7.0.0 - 7.0.5
• Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

No further mitigation steps are necessary.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N&version=3.1

History

• 2026-06-09: Initial vulnerability report published.