Skip to content

chore(deps): update dependency org.springframework:spring-webmvc to v7.0.7 [security]#181

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-main/maven-org.springframework-spring-webmvc-vulnerability
Open

chore(deps): update dependency org.springframework:spring-webmvc to v7.0.7 [security]#181
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-main/maven-org.springframework-spring-webmvc-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 31, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-webmvc 7.0.57.0.7 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Spring MVC and WebFlux has Server Sent Event stream corruption

CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c

More information

Details

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Spring Framework Improper Path Limitation with Script View Templates

CVE-2026-22737 / GHSA-4773-3jfm-qmx3

More information

Details

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

CVE-2026-22741 / GHSA-wg35-8jpf-2xv3

More information

Details

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Severity

  • CVSS Score: 0.0 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources

CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm

More information

Details

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

  • the application is using Spring MVC or Spring WebFlux
  • the application is serving static resources from the file system
  • the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Spring Framework Improper Path Limitation with Script View Templates

CVE-2026-22737 / GHSA-4773-3jfm-qmx3

More information

Details

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux has Server Sent Event stream corruption

CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c

More information

Details

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources

CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm

More information

Details

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

  • the application is using Spring MVC or Spring WebFlux
  • the application is serving static resources from the file system
  • the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

CVE-2026-22741 / GHSA-wg35-8jpf-2xv3

More information

Details

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Severity

  • CVSS Score: 0.0 / 10 (None)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v7.0.7

⭐ New Features

  • Improve SpringValidatorAdapter and MethodValidationAdapter performance #​36621
  • Support JSON array decoding to Flux in KotlinSerializationJsonDecoder #​36597
  • Deprecate methodIdentification() in CacheAspectSupport for removal #​36575
  • Add MockRestServiceServer#createServer variant for RestClient #​36572
  • Create RestClientXhrTransport variant replacing RestTemplateXhrTransport #​36566
  • Improve error handling in multipart codecs #​36563
  • Make ApplicationListenerMethodAdapter#getTargetMethod() public #​36558
  • ApiVersionConfigurer.setSupportedVersionPredicate() returns void instead of ApiVersionConfigurer #​36551
  • LazyConnectionDataSourceProxy does not work well with Hibernate's multi-tenancy by schema strategy #​36527
  • Add registerManagedResource variant with bean key argument to MBeanExporter #​36520
  • Handle blank Accept-Language header in AcceptHeaderLocaleResolver #​36513
  • Make AbstractStreamingClientHttpRequest and AbstractBufferingClientHttpRequest public #​36501
  • MySQL Error 149 (Galera/WSREP conflict) not translated to ConcurrencyFailureException in Spring JDBC/ORM #​36499
  • Add PreFlightRequestFilter #​36482
  • Support configuration of extension context scope for SpringExtension via Spring or JUnit properties #​36460
  • Lower log level of "Cache miss for REQUEST dispatch" in HandlerMappingIntrospector #​36309

🐞 Bug Fixes

  • WebDataBinder unnecessarily instantiates collections when using the "!" and "_" prefixes #​36625
  • Cache pollution from high-cardinality FieldError default messages in MessageSourceSupport #​36609
  • MergedAnnotation does not use ClassLoader for method or field #​36606
  • @Sql fails if DataSource is wrapped in a TransactionAwareDataSourceProxy #​36611
  • AnnotatedTypeMetadata no longer retains source declaration order on Java 24+ #​36598
  • MergedAnnotation.asMap() fails when an attribute references a non-existent class #​36586
  • FileSystemResource does not strictly follow the Resource#isReadable() contract #​36584
  • Converter overrides in HttpMessageConverters only apply when defaults are registered #​36579
  • Invalid method return type metadata for ClassFile variant on JDK 24+ #​36577
  • Fix Writer lifecycle for AbstractJsonHttpMessageConverter.writeInternal(Object, Type, Writer) #​36565
  • Flushing-related regression in SseServerResponse #​36537
  • LazyConnectionDataSourceProxy does not pass on holdability to target Connection #​36528
  • AnnotationBeanNameGenerator fails when an annotation references a non-existent class #​36524
  • Perserve default API version in RestClientAdapter #​36514
  • Inconsistent codings resolution in resource resolvers #​36507
  • DefaultJmsListenerContainer may hang in an endless loop in doShutdown #​36506
  • Query not hidden in DefaultClientResponse checkpoint #​36502
  • RestClient closes stream for ResponseEntity responses #​36492
  • IllegalStateException when using websocket handshake headers with Tomcat #​36486
  • Invalid nullness information for ParameterizedTypeReference #​36477
  • WebTestClient cannot assert null list elements #​36476
  • Handle Kotlin nullable value class param correctly in CoroutineUtils #​36449
  • Remove RFC 2047 encoding from Content-Disposition filename #​36328

📔 Documentation

  • Clarify semantics of HttpMethod.valueOf() #​36652
  • Document whitespace semantics in SpEL expressions #​36628
  • Document that spring.profiles.active is ignored by @ActiveProfiles #​36600
  • MergedAnnotation.asAnnotationAttributes() Javadoc incorrectly states that it creates an immutable map #​36567
  • Fix incorrect Javadoc in HandlerMethodReturnValueHandlerComposite regarding caching #​36555
  • Fix incorrect method name in TypeDescriptor.array() Javadoc #​36549
  • Introduce Kotlin examples for Bean Overrides (@MockitoBean, etc.) #​36541
  • Fix incorrect cross-reference links in AbstractEnvironment Javadoc #​36516
  • Document RetryTemplate#invoke variants in reference manual #​36452
  • Link observability section to Micrometer Observation Handler docs #​34994

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Mohak-Nagaraju, @​Sineaggi, @​T45K, @​angry-2k, @​bebeis, @​cookie-meringue, @​dmitrysulman, @​elgunshukurov, @​itsmevichu, @​junhyung8795, @​msridhar, @​nameearly, @​tobifasc, and @​xxxxxxjun

v7.0.6

⚠️ Attention Required

  • Log warning when default context configuration is ignored within test class hierarchies #​36390
  • Ignore flush calls on ServletServerHttpResponse body outputstream #​36385

⭐ New Features

  • Leverage ResourceHandlerUtils in ScriptTemplateView #​36458
  • Restore ScriptTemplateViewTests #​36456
  • Fix log message in ConfigurationClassBeanDefinitionReader #​36453
  • DefaultResponseErrorHandler - setMessageConverters() not called via RestClient #​36434
  • Resolve context initializers only once in AbstractTestContextBootstrapper #​36430
  • Invoke resolveContextLoader() only once in AbstractTestContextBootstrapper #​36425
  • Further align synthesized annotation toString() with modern JDKs #​36417
  • Introduce setDefaultCharset() in AbstractResourceBasedMessageSource #​36413
  • Support for JPA 4.0 flush mode "explicit" #​36401
  • Support application-wide defaultHtmlEscape setting in WebFlux RequestContext #​36400
  • Support Predicate<RequestPath>> in path API version resolver #​36398
  • Avoid duplicate flushes in HttpMessageConverter implementations #​36383
  • Add support for non-flushing OutputStream to StreamUtils #​36382
  • Make it easier to get InputStream from RestClient #​36380
  • RuntimeHintsWriter should comply with reachability-metadata-schema-v1.2.0.json #​36379
  • Make it easier to create custom HttpExchangeAdapter #​36374
  • Improve ResourceHttpMessageConverter target type support #​36368
  • org.springframework.test.web.servlet.assertj.AbstractHttpServletResponseAssert#headers case sensitivity #​36349
  • Allow registering serialized lambda metadata through RuntimeHints #​36339
  • Refactor calculateHashCode in RequestMappingInfo #​36325

🐞 Bug Fixes

  • MetadataReader misses enclosing class name for Kotlin nested classes with Java 24+ #​36451
  • Guard against invalid id/event values in Server Sent Events #​36440
  • Component scanning fails against non-loadable annotation type with enum array on Java 25 #​36432
  • Duplicate ServletServerHttpRequest headers #​36418
  • Incomplete debug message in ConfigurationClassBeanDefinitionReader #​36410
  • Inconsistent ApplicationEventMulticaster state after removing ApplicationListener implemented by FactoryBean #​36404
  • Propagate max frame length to WebSocket session #​36370
  • Graceful shutdown of SimpleAsyncTaskExecutor #​36362
  • Duplicate response headers with ResponseEntity<Mono<T>> (or Kotlin suspend function) controller method #​36357
  • HttpServiceProxyFactory returns LinkedHashMap instead of target type for method with generic return type #​36326
  • HttpMediaTypeException thrown when calculating compatible media types #​36300

📔 Documentation

  • Document FullyQualifiedConfigurationBeanNameGenerator in Javadoc and reference docs #​36455
  • Document @Fallback alongside Primary in the reference manual and @Bean Javadoc #​36439
  • Fix links to UriComponentsBuilder and polish examples #​36403
  • Emphasize @Configuration classes over XML and Groovy in testing chapter #​36393
  • Document tips to avoid issues with ignored default context configuration in tests #​36392
  • Polish SpEL operator examples in reference docs #​36367
  • Add programmatic configuration tabs in the transactional refdoc #​36323
  • Document registration recommendations for BeanPostProcessor and BeanFactoryPostProcessor #​34964

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​AgilAghamirzayev, @​aavoronin93, @​cetf9h, @​froggy0m0, @​gbouwen, @​husseinvr97, @​jisub-dev, @​ngocnhan-tran1996, @​siom79, and @​xxxxxxjun

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from lis0x90 as a code owner March 31, 2026 21:54
@renovate renovate Bot added the security label Mar 31, 2026
@renovate renovate Bot assigned ArkuNC and lis0x90 Mar 31, 2026
@renovate renovate Bot requested a review from ArkuNC March 31, 2026 21:54
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot changed the title chore(deps): update dependency org.springframework:spring-webmvc to v7.0.6 [security] chore(deps): update dependency org.springframework:spring-webmvc to v7.0.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate-main/maven-org.springframework-spring-webmvc-vulnerability branch April 27, 2026 17:37
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency org.springframework:spring-webmvc to v7.0.6 [security] - autoclosed chore(deps): update dependency org.springframework:spring-webmvc to v7.0.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate-main/maven-org.springframework-spring-webmvc-vulnerability branch 2 times, most recently from 92cfd34 to 3b2e3e6 Compare April 27, 2026 20:53
@renovate renovate Bot force-pushed the renovate-main/maven-org.springframework-spring-webmvc-vulnerability branch from 3b2e3e6 to 12a5eed Compare April 29, 2026 09:34
@renovate renovate Bot changed the title chore(deps): update dependency org.springframework:spring-webmvc to v7.0.6 [security] chore(deps): update dependency org.springframework:spring-webmvc to v7.0.7 [security] Apr 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lis0x90 lis0x90 Awaiting requested review from lis0x90 lis0x90 is a code owner

@ArkuNC ArkuNC Awaiting requested review from ArkuNC

Assignees

@lis0x90 lis0x90

@ArkuNC ArkuNC

Labels

branch:main renovate:core security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lis0x90 @ArkuNC