VulnerableCode Package Details - pkg:maven/org.springframework.boot/spring-boot@2.5.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-cyjt-4vjn-mbc7 Aliases: CVE-2022-22965 GHSA-36p3-wjmg-h94x GMS-2022-558 GMS-2022-559 GMS-2022-560 GMS-2022-561	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux.	2.5.12 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-k3fg-3bs3-87b9 Aliases: CVE-2025-22235 GHSA-rc42-6c7j-7h5r	Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection	3.0.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.3.11 Affected by 0 other vulnerabilities. 3.4.5 Affected by 0 other vulnerabilities.
VCID-kwk7-s11d-4ygy Aliases: CVE-2023-34055 GHSA-jjfh-589g-3hjx	Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * `org.springframework.boot:spring-boot-actuator` is on the classpath	2.7.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.13 Affected by 0 other vulnerabilities. 3.1.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-cyjt-4vjn-mbc7
Aliases:
CVE-2022-22965
GHSA-36p3-wjmg-h94x
GMS-2022-558
GMS-2022-559
GMS-2022-560
GMS-2022-561

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux.

2.5.12
Affected by 2 other vulnerabilities.

2.6.6
Affected by 2 other vulnerabilities.

VCID-k3fg-3bs3-87b9
Aliases:
CVE-2025-22235
GHSA-rc42-6c7j-7h5r

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection

3.0.0
Affected by 1 other vulnerability.

3.3.11
Affected by 0 other vulnerabilities.

3.4.5
Affected by 0 other vulnerabilities.

VCID-kwk7-s11d-4ygy
Aliases:
CVE-2023-34055
GHSA-jjfh-589g-3hjx

Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * `org.springframework.boot:spring-boot-actuator` is on the classpath

2.7.18
Affected by 1 other vulnerability.

3.0.13
Affected by 0 other vulnerabilities.

3.1.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:27:48.027856+00:00	GitLab Importer	Affected by	VCID-k3fg-3bs3-87b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2025-22235.yml	38.4.0
2026-04-16T22:44:09.997984+00:00	GitLab Importer	Affected by	VCID-kwk7-s11d-4ygy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2023-34055.yml	38.4.0
2026-04-16T21:43:59.586355+00:00	GitLab Importer	Affected by	VCID-cyjt-4vjn-mbc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2022-22965.yml	38.4.0
2026-04-12T00:47:21.060011+00:00	GitLab Importer	Affected by	VCID-k3fg-3bs3-87b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2025-22235.yml	38.3.0
2026-04-12T00:03:46.879259+00:00	GitLab Importer	Affected by	VCID-kwk7-s11d-4ygy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2023-34055.yml	38.3.0
2026-04-11T22:59:36.331528+00:00	GitLab Importer	Affected by	VCID-cyjt-4vjn-mbc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2022-22965.yml	38.3.0
2026-04-03T00:55:19.225517+00:00	GitLab Importer	Affected by	VCID-k3fg-3bs3-87b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2025-22235.yml	38.1.0
2026-04-03T00:08:27.577699+00:00	GitLab Importer	Affected by	VCID-kwk7-s11d-4ygy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2023-34055.yml	38.1.0
2026-04-02T23:08:17.198386+00:00	GitLab Importer	Affected by	VCID-cyjt-4vjn-mbc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2022-22965.yml	38.1.0
2026-04-01T17:27:43.263229+00:00	GitLab Importer	Affected by	VCID-cyjt-4vjn-mbc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2022-22965.yml	38.0.0