Spring Framework Releases Fixes for CVE-2024-38808 and CVE-2024-38809
The Spring Framework has released versions 5.3.39, 6.0.23, and 6.1.12 that contain fixes for CVE-2024-38809, DoS via conditional HTTP requests.
The 5.3.39 release contains an additional fix for CVE-2024-38808, DoS via SpEL expression.
Note that version 5.3.39 has fixes for both CVEs. Version 5.3.38 was released earlier on the same day, and it contains the fix for CVE-2024-38809 but not CVE-2024-38808.
Upgrading Your Project
Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can make use of Spring Boot Hotfix releases 2.7.21.1, 3.0.16.1, and 3.1.12.1. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription…