Vulnerable Library - spring-boot-starter-3.1.12.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.1.12/spring-boot-3.1.12.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter version) |
Remediation Possible** |
| CVE-2025-41249 |
 High |
7.5 |
spring-core-6.0.21.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-22235 |
High |
7.3 |
spring-boot-3.1.12.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-41242 |
 Medium |
5.9 |
spring-beans-6.0.21.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-22233 |
 Low |
3.1 |
spring-context-6.0.21.jar |
Transitive |
N/A* |
❌ |
| CVE-2024-38820 |
Low |
3.1 |
spring-context-6.0.21.jar |
Transitive |
3.2.11 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-41249
Vulnerable Library - spring-core-6.0.21.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/6.0.21/spring-core-6.0.21.jar
Dependency Hierarchy:
- spring-boot-starter-3.1.12.jar (Root Library)
- spring-boot-3.1.12.jar
- ❌ spring-core-6.0.21.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
Step up your Open Source Security Game with Mend here
CVE-2025-22235
Vulnerable Library - spring-boot-3.1.12.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.1.12/spring-boot-3.1.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.1.12.jar (Root Library)
- ❌ spring-boot-3.1.12.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
Step up your Open Source Security Game with Mend here
CVE-2025-41242
Vulnerable Library - spring-beans-6.0.21.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/6.0.21/spring-beans-6.0.21.jar
Dependency Hierarchy:
- spring-boot-starter-3.1.12.jar (Root Library)
- spring-boot-3.1.12.jar
- spring-context-6.0.21.jar
- spring-aop-6.0.21.jar
- ❌ spring-beans-6.0.21.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-18
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10
Step up your Open Source Security Game with Mend here
CVE-2025-22233
Vulnerable Library - spring-context-6.0.21.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.0.21/spring-context-6.0.21.jar
Dependency Hierarchy:
- spring-boot-starter-3.1.12.jar (Root Library)
- spring-boot-3.1.12.jar
- ❌ spring-context-6.0.21.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
- 6.2.0 - 6.2.6
- 6.1.0 - 6.1.19
- 6.0.0 - 6.0.27
- 5.3.0 - 5.3.42
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution: org.springframework:spring-context:6.2.7,https://github.com/spring-projects/spring-framework.git - v6.1.20 ,org.springframework:spring-context:6.1.20,https://github.com/spring-projects/spring-framework.git - v6.2.7
Step up your Open Source Security Game with Mend here
CVE-2024-38820
Vulnerable Library - spring-context-6.0.21.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.0.21/spring-context-6.0.21.jar
Dependency Hierarchy:
- spring-boot-starter-3.1.12.jar (Root Library)
- spring-boot-3.1.12.jar
- ❌ spring-context-6.0.21.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution (org.springframework:spring-context): 6.1.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.2.11
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.1.12/spring-boot-3.1.12.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-core-6.0.21.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/6.0.21/spring-core-6.0.21.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-3.1.12.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.1.12/spring-boot-3.1.12.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
You are not affected if any of the following is true:
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-beans-6.0.21.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/6.0.21/spring-beans-6.0.21.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-08-18
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-context-6.0.21.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.0.21/spring-context-6.0.21.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution: org.springframework:spring-context:6.2.7,https://github.com/spring-projects/spring-framework.git - v6.1.20 ,org.springframework:spring-context:6.1.20,https://github.com/spring-projects/spring-framework.git - v6.2.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-context-6.0.21.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.0.21/spring-context-6.0.21.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution (org.springframework:spring-context): 6.1.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.2.11
Step up your Open Source Security Game with Mend here