Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework/spring-core@6.0.0
Typemaven
Namespaceorg.springframework
Namespring-core
Version6.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.0.7
Latest_non_vulnerable_version6.2.11
Affected_by_vulnerabilities
0
url VCID-6ach-4jet-a3cb
vulnerability_id VCID-6ach-4jet-a3cb
summary 
Spring Framework annotation detection mechanism may result in improper authorization
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with  CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
references
0
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework
1
reference_url https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff
2
reference_url https://github.com/spring-projects/spring-framework/issues/35342
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework/issues/35342
3
reference_url https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-41249
reference_id CVE-2025-41249
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-41249
5
reference_url https://spring.io/security/cve-2025-41249
reference_id CVE-2025-41249
reference_type
scores
url https://spring.io/security/cve-2025-41249
6
reference_url https://github.com/advisories/GHSA-jmp9-x22r-554x
reference_id GHSA-jmp9-x22r-554x
reference_type
scores
url https://github.com/advisories/GHSA-jmp9-x22r-554x
fixed_packages
0
url pkg:maven/org.springframework/spring-core@6.2.11
purl pkg:maven/org.springframework/spring-core@6.2.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@6.2.11
aliases CVE-2025-41249, GHSA-jmp9-x22r-554x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ach-4jet-a3cb
1
url VCID-amxf-c3z4-gbhk
vulnerability_id VCID-amxf-c3z4-gbhk
summary 
Spring Framework vulnerable to denial of service via specially crafted SpEL expression
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
references
0
reference_url https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1
1
reference_url https://security.netapp.com/advisory/ntap-20230420-0007/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20230420-0007/
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-20861
reference_id CVE-2023-20861
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-20861
3
reference_url https://spring.io/security/cve-2023-20861
reference_id CVE-2023-20861
reference_type
scores
url https://spring.io/security/cve-2023-20861
4
reference_url https://github.com/advisories/GHSA-564r-hj7v-mcr5
reference_id GHSA-564r-hj7v-mcr5
reference_type
scores
url https://github.com/advisories/GHSA-564r-hj7v-mcr5
fixed_packages
0
url pkg:maven/org.springframework/spring-core@6.0.7
purl pkg:maven/org.springframework/spring-core@6.0.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@6.0.7
aliases CVE-2023-20861, GHSA-564r-hj7v-mcr5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amxf-c3z4-gbhk
2
url VCID-ehpw-txyw-auh6
vulnerability_id VCID-ehpw-txyw-auh6
summary 
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
In spring framework versions prior to 5.2.24 release+,5.3.27+ and 6.0.8+, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
references
0
reference_url https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-20863
reference_id CVE-2023-20863
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-20863
2
reference_url https://spring.io/security/cve-2023-20863
reference_id CVE-2023-20863
reference_type
scores
url https://spring.io/security/cve-2023-20863
3
reference_url https://github.com/advisories/GHSA-wxqc-pxw9-g2p8
reference_id GHSA-wxqc-pxw9-g2p8
reference_type
scores
url https://github.com/advisories/GHSA-wxqc-pxw9-g2p8
fixed_packages
0
url pkg:maven/org.springframework/spring-core@6.0.8
purl pkg:maven/org.springframework/spring-core@6.0.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@6.0.8
aliases CVE-2023-20863, GHSA-wxqc-pxw9-g2p8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ehpw-txyw-auh6
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@6.0.0