Vmware Spring Framework vulnerabilities

50 known vulnerabilities affecting vmware/spring_framework.

Total CVEs

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL5HIGH17MEDIUM28

Vulnerabilities

Page 1 of 3

CVE-2025-41254MEDIUMCVSS 4.3v5.3.xv6.0.x+2 more2025-10-16

CVE-2025-41254 [MEDIUM] CWE-352 CVE-2025-41254: STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgr

cvelistv5nvd

CVE-2025-41248HIGHCVSS 7.5≥ 6.2.x, < 6.2.11≥ 6.1.x, < 6.1.23+1 more2025-09-16

CVE-2025-41248 [HIGH] CWE-289 CVE-2025-41248: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you a

nvd

CVE-2025-41249HIGHCVSS 7.5≥ 6.2.x, < 6.2.11≥ 6.1.x, < 6.1.23+1 more2025-09-16

CVE-2025-41249 [HIGH] CVE-2025-41249: Spring Framework Annotation Detection Vulnerability CVE-2025-41249: Spring Framework Annotation Detection Vulnerability The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @En

cvelistv5

CVE-2025-41242MEDIUMCVSS 5.9≥ 6.2.x, < 6.2.10≥ 6.1.x, < 6.1.22+1 more2025-08-18

CVE-2025-41242 [MEDIUM] CWE-22 CVE-2025-41242: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deploye Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https:

cvelistv5nvd

CVE-2025-41234MEDIUMCVSS 6.5≥ 6.0.5, ≤ 6.0.28≥ 6.1.0, ≤ 6.1.20+1 more2025-06-12

CVE-2025-41234 [MEDIUM] CWE-113 CVE-2025-41234: Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an applicati Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the

cvelistv5nvd

CVE-2024-38819HIGHCVSS 7.5PoCvSpring Framework 5.3.0 - 5.3.40, 6.0.0 - 6.0.24, 6.1.0 - 6.1.132024-12-19

CVE-2024-38819 [HIGH] CWE-22 CVE-2024-38819: Applications serving static resources through the functional web frameworks WebMvc Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

cvelistv5

CVE-2024-38820MEDIUMCVSS 5.3≥ 5.3.0, < 5.3.41≥ 6.0.0, < 6.0.25+1 more2024-10-18

CVE-2024-38820 [MEDIUM] CWE-178 CVE-2024-38820: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, S The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

nvd

CVE-2024-38809MEDIUMCVSS 5.3v6.1.0 - 6.1.11, 6.0.0 - 6.0.22, 5.3.0 - 5.3.372024-09-27

CVE-2024-38809 [MEDIUM] CVE-2024-38809: Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

cvelistv5

CVE-2024-38808MEDIUMCVSS 4.3≥ 5.3.0, < 5.3.392024-08-20

CVE-2024-38808 [MEDIUM] CWE-770 CVE-2024-38808: In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a use In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL e

nvd

CVE-2024-22259HIGHCVSS 8.1fixed in 5.3.33≥ 6.0.0, < 6.0.18+1 more2024-03-16

CVE-2024-22259 [HIGH] CVE-2024-22259: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL ( Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This

nvd

CVE-2024-22233HIGHCVSS 7.5v6.0.15v6.1.22024-01-22

CVE-2024-22233 [HIGH] CWE-400 CVE-2024-22233: In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafte In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Sp

nvd

CVE-2023-34053HIGHCVSS 7.5≥ 6.0.0, < 6.0.142023-11-28

CVE-2023-34053 [HIGH] CVE-2023-34053: In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an Observ

nvd

CVE-2023-20863MEDIUMCVSS 6.5≥ 5.2.0, < 5.2.24≥ 5.3.0, < 5.3.27+2 more2023-04-13

CVE-2023-20863 [MEDIUM] CWE-400 CVE-2023-20863: In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a use In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

cvelistv5nvd

CVE-2023-20860HIGHCVSS 7.5≥ 5.3.0, < 5.3.26≥ 6.0.0, < 6.0.7+1 more2023-03-27

CVE-2023-20860 [HIGH] CVE-2023-20860: Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring S Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

cvelistv5nvd

CVE-2023-20861MEDIUMCVSS 6.5≤ 5.2.22≥ 5.3.0, ≤ 5.3.25+2 more2023-03-23

CVE-2023-20861 [MEDIUM] CWE-400 CVE-2023-20861: In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and olde In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

cvelistv5nvd

CVE-2022-22970MEDIUMCVSS 5.3≤ 5.2.21≥ 5.3.0, ≤ 5.3.19+1 more2022-05-12

CVE-2022-22970 [MEDIUM] CWE-770 CVE-2022-22970: In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications t In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

cvelistv5nvd

CVE-2022-22971MEDIUMCVSS 6.5≥ 5.2.0, ≤ 5.2.21≥ 5.3.0, ≤ 5.3.19+1 more2022-05-12

CVE-2022-22971 [MEDIUM] CWE-770 CVE-2022-22971: In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application wi In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

cvelistv5nvd

CVE-2022-22968MEDIUMCVSS 5.3fixed in 5.2.0≥ 5.2.0, ≤ 5.2.20+1 more2022-04-14

CVE-2022-22968 [MEDIUM] CWE-178 CVE-2022-22968: In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the pat In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first charac

cvelistv5nvd

CVE-2022-22965CRITICALCVSS 9.8KEVPoCfixed in 5.2.20≥ 5.3.0, < 5.3.182022-04-01

CVE-2022-22965 [CRITICAL] CWE-94 CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execut A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature

cvelistv5nvd

CVE-2022-22950MEDIUMCVSS 6.5fixed in 5.2.20≥ 5.3.0, < 5.3.17+1 more2022-04-01

CVE-2022-22950 [MEDIUM] CWE-770 CVE-2022-22950: n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

cvelistv5nvd

1 / 3Next →