Spring — Vulnerabilities & Security Advisories 77

Browse all 77 CVE security advisories affecting Spring. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Spring is a widely adopted Java framework designed for building enterprise-level applications, serving as the backbone for numerous critical web services. Its extensive ecosystem has historically exposed developers to diverse security risks, particularly Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF), stemming from complex request handling and deserialization flaws. While Cross-Site Scripting (XSS) and privilege escalation issues also appear in the record, the most severe incidents involve critical RCE vulnerabilities that allow attackers to execute arbitrary code on affected servers. The framework’s modular nature means vulnerabilities in specific components, such as Spring Boot or Spring Security, can impact the entire application stack. With 72 recorded CVEs, maintaining strict dependency updates and adhering to secure coding practices are essential for mitigating these persistent threats in production environments.

CVEs 77

CVE ID	Title	CVSS	Severity	Published
CVE-2026-22737	Spring Framework Improper Path Limitation with Script View Templates — Spring Framework	5.9	Medium	2026-03-19
CVE-2026-22735	Server Sent Event stream corruption — Spring Foundation	2.6	Low	2026-03-19
CVE-2026-22733	Authentication Bypass under Actuator CloudFoundry endpoints — Spring SecurityCWE-288	8.2	High	2026-03-19
CVE-2026-22731	Authentication Bypass under Actuator Health groups paths — Spring BootCWE-288	8.2	High	2026-03-19
CVE-2025-22234	Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation — Spring SecurityCWE-208	5.3	Medium	2026-01-22
CVE-2026-22718	Command injection vulnerability — CLI VSCode ExtensionCWE-78	6.8	Medium	2026-01-14
CVE-2025-41243	Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux — Cloud GatewayCWE-917	10.0	Critical	2025-09-16
CVE-2025-41232	CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods — Spring Security	9.1	Critical	2025-05-21
CVE-2025-22233	Spring Framework DataBinder Case Sensitive Match Exception — Spring FrameworkCWE-20	3.1	Low	2025-05-16
CVE-2025-22235	Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed — Spring BootCWE-20	7.3	High	2025-04-28
CVE-2025-22232	Spring Cloud Config Server May Not Use Vault Token Sent By Clients — Spring Cloud ConfigCWE-287	5.3	Medium	2025-04-10
CVE-2025-22223	VMware Spring Security 安全漏洞 — Spring SecurityCWE-290	5.3	Medium	2025-03-24
CVE-2025-22228	CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length — Spring Security	7.4	High	2025-03-20
CVE-2024-38829	Spring LDAP sensitive data exposure for case-sensitive comparisons — Spring LDAPCWE-178	3.7	Low	2024-12-04
CVE-2024-38828	CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter — Spring	5.3	Medium	2024-11-18
CVE-2024-38821	Authorization Bypass of Static Resources in WebFlux Applications — Spring	9.1	Critical	2024-10-28
CVE-2024-38816	CVE-2024-38816: Path traversal vulnerability in functional web frameworks — Spring	7.5	High	2024-09-13
CVE-2024-38807	CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader — Spring Boot	6.3	Medium	2024-08-23
CVE-2024-38808	CVE-2024-38808: Spring Expression DoS Vulnerability — Spring Framework	4.3	Medium	2024-08-20
CVE-2024-38810	Missing Authorization When Using @AuthorizeReturnObject — spring securityCWE-287	6.5	Medium	2024-08-20
CVE-2024-37084	CVE-2024-37084: Remote code execution in Spring Cloud Data Flow — Spring Cloud Data Flow	9.8	Critical	2024-07-25
CVE-2024-22262	CVE-2024-22262: Spring Framework URL Parsing with Host Validation — Spring Framework	8.1	High	2024-04-16
CVE-2024-22258	CVE-2024-22258: PKCE Downgrade in Spring Authorization Server — Spring	6.1	Medium	2024-03-20
CVE-2024-22259	CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report) — Spring Framework	8.1	High	2024-03-16
CVE-2024-22243	CVE-2024-22243: Spring Framework URL Parsing with Host Validation — Spring Framework	8.1	High	2024-02-23
CVE-2024-22234	CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated — Spring Security	7.4	High	2024-02-20
CVE-2024-22236	Spring Cloud 安全漏洞 — Spring Cloud Contract	3.3	Low	2024-01-31
CVE-2024-22233	CVE-2024-22233: Spring Framework server Web DoS Vulnerability — Spring Framework	7.5	High	2024-01-22
CVE-2023-34055	Spring Boot server Web Observations DoS Vulnerability — Spring Boot	5.3	Medium	2023-11-28
CVE-2023-34054	Reactor Netty HTTP Server Metrics DoS Vulnerability — Reactor Netty	5.3	Medium	2023-11-28

This page lists every published CVE security advisory associated with Spring. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Spring — Vulnerabilities & Security Advisories 77