Spring Boot vulnerabilities

5 known vulnerabilities affecting spring/spring_boot.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2026-22731HIGHCVSS 8.2≥ 4.0, < 4.0.3≥ 3.5, < 3.5.11+1 more2026-03-19

CVE-2026-22731 [HIGH] CWE-288 CVE-2026-22731: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. T

CVE-2025-22235HIGHCVSS 7.3≥ 2.7.x, < 2.7.25≥ 3.1.x, < 3.1.16+3 more2025-04-28

CVE-2025-22235 [HIGH] CWE-20 CVE-2025-22235: EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointR EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoin

CVE-2024-38807MEDIUMCVSS 6.3≥ 2.7.x, < 2.7.22≥ 3.0.x, < 3.0.17+3 more2024-08-23

CVE-2024-38807 [MEDIUM] CWE-290 CVE-2024-38807: Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

CVE-2023-34055MEDIUMCVSS 6.5≥ 2.7.0, < 2.7.18≥ 3.0.0, < 3.0.13+2 more2023-11-28

CVE-2023-34055 [MEDIUM] CVE-2023-34055: In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to p In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-b

CVE-2019-3797MEDIUMCVSS 5.3≥ 2.0, < v2.0.9.RELEASE≥ 1.5, < v1.5.20.RELEASE+1 more2019-05-06

CVE-2019-3797 [LOW] CWE-89 CVE-2019-3797: This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived quer This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected