CVE-2025-22233

CWE-20 — Improper Input Validation7 documents6 sources

Severity

3.1LOW

EPSS

0.1%

top 75.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Framework

Timeline

PublishedMay 16

Latest updateOct 15

Description

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed ver…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

▶Mavenorg.springframework:spring-context6.2.0 — 6.2.7+3

▶CVEListV5spring/spring_framework6.2.0 — 6.2.6+3

🔴Vulnerability Details

GHSA

Spring Framework DataBinder Case Sensitive Match Exception↗2025-05-16

▶

CVEList

Spring Framework DataBinder Case Sensitive Match Exception↗2025-05-16

▶

OSV

CVE-2025-22233: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names↗2025-05-16

▶

OSV

Spring Framework DataBinder Case Sensitive Match Exception↗2025-05-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Tools And Frameworks, Content Acquisition System, Platform Services (Spring Framework) — CVE-2025-22233↗2025-10-15

▶

Debian

CVE-2025-22233: libspring-java - CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the con...↗2025

▶