fix(deps): update dependency org.springframework:spring-webflux to v7.0.7 [security]#180
Open
renovate[bot] wants to merge 1 commit into
Conversation
|
renovate
Bot
changed the title
renovate
Bot
deleted the
renovate-main/maven-org.springframework-spring-webflux-vulnerability
branch
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate-main/maven-org.springframework-spring-webflux-vulnerability
branch
2 times, most recently
from
ce106d0 to
609bda8
Compare
…v7.0.7 [security]
renovate
Bot
force-pushed
the
renovate-main/maven-org.springframework-spring-webflux-vulnerability
branch
from
609bda8 to
77553bf
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.0.5→7.0.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Spring MVC and WebFlux has Server Sent Event stream corruption
CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c
More information
Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework Improper Path Limitation with Script View Templates
CVE-2026-22737 / GHSA-4773-3jfm-qmx3
More information
Details
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework DoS with Multipart Temp Files in WebFlux
CVE-2026-22740 / GHSA-5843-p793-ghmm
More information
Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
CVE-2026-22741 / GHSA-wg35-8jpf-2xv3
More information
Details
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources
CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm
More information
Details
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework Improper Path Limitation with Script View Templates
CVE-2026-22737 / GHSA-4773-3jfm-qmx3
More information
Details
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux has Server Sent Event stream corruption
CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c
More information
Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Framework DoS with Multipart Temp Files in WebFlux
CVE-2026-22740 / GHSA-5843-p793-ghmm
More information
Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources
CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm
More information
Details
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
CVE-2026-22741 / GHSA-wg35-8jpf-2xv3
More information
Details
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
spring-projects/spring-framework (org.springframework:spring-webflux)
v7.0.7Compare Source
⭐ New Features
SpringValidatorAdapterandMethodValidationAdapterperformance #36621FluxinKotlinSerializationJsonDecoder#36597methodIdentification()inCacheAspectSupportfor removal #36575ApplicationListenerMethodAdapter#getTargetMethod()public #36558SpringExtensionvia Spring or JUnit properties #36460🐞 Bug Fixes
MergedAnnotationdoes not useClassLoaderfor method or field #36606@Sqlfails ifDataSourceis wrapped in aTransactionAwareDataSourceProxy#36611AnnotatedTypeMetadatano longer retains source declaration order on Java 24+ #36598MergedAnnotation.asMap()fails when an attribute references a non-existent class #36586FileSystemResourcedoes not strictly follow theResource#isReadable()contract #36584AbstractJsonHttpMessageConverter.writeInternal(Object, Type, Writer)#36565SseServerResponse#36537AnnotationBeanNameGeneratorfails when an annotation references a non-existent class #36524DefaultJmsListenerContainermay hang in an endless loop indoShutdown#36506CoroutineUtils#36449📔 Documentation
spring.profiles.activeis ignored by@ActiveProfiles#36600MergedAnnotation.asAnnotationAttributes()Javadoc incorrectly states that it creates an immutable map #36567TypeDescriptor.array()Javadoc #36549@MockitoBean, etc.) #36541🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Mohak-Nagaraju, @Sineaggi, @T45K, @angry-2k, @bebeis, @cookie-meringue, @dmitrysulman, @elgunshukurov, @itsmevichu, @junhyung8795, @msridhar, @nameearly, @tobifasc, and @xxxxxxjun
v7.0.6Compare Source
⭐ New Features
ResourceHandlerUtilsinScriptTemplateView#36458ScriptTemplateViewTests#36456ConfigurationClassBeanDefinitionReader#36453AbstractTestContextBootstrapper#36430resolveContextLoader()only once inAbstractTestContextBootstrapper#36425toString()with modern JDKs #36417setDefaultCharset()inAbstractResourceBasedMessageSource#36413Predicate<RequestPath>>in path API version resolver #36398🐞 Bug Fixes
ResponseEntity<Mono<T>>(or Kotlin suspend function) controller method #36357📔 Documentation
FullyQualifiedConfigurationBeanNameGeneratorin Javadoc and reference docs #36455@FallbackalongsidePrimaryin the reference manual and@BeanJavadoc #36439UriComponentsBuilderand polish examples #36403@Configurationclasses over XML and Groovy in testing chapter #36393BeanPostProcessorandBeanFactoryPostProcessor#34964🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@AgilAghamirzayev, @aavoronin93, @cetf9h, @froggy0m0, @gbouwen, @husseinvr97, @jisub-dev, @ngocnhan-tran1996, @siom79, and @xxxxxxjun
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.