VulnerableCode Package Details - pkg:maven/org.springframework/spring-context@6.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-pzz7-mfs4-rfda Aliases: CVE-2024-38820 GHSA-4gc7-5j7h-4qph	Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.	6.1.14 Affected by 0 other vulnerabilities.
VCID-w11m-ut2r-tbcq Aliases: CVE-2025-22233 GHSA-4wp7-92pw-q264	Spring Framework DataBinder Case Sensitive Match Exception CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. \| Affected version(s) \| Fix Version \| Availability \| \| - \| - \| - \| \| 6.2.x \| 6.2.7 \| OSS \| \| 6.1.x \| 6.1.20 \| OSS \| \| 6.0.x \| 6.0.28 \| Commercial https://enterprise.spring.io/ \| \| 5.3.x \| 5.3.43 \| Commercial https://enterprise.spring.io/ \| No further mitigation steps are necessary. Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation. For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields. Credit This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.	6.1.20 Affected by 0 other vulnerabilities. 6.2.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-pzz7-mfs4-rfda
Aliases:
CVE-2024-38820
GHSA-4gc7-5j7h-4qph

Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

6.1.14
Affected by 0 other vulnerabilities.

VCID-w11m-ut2r-tbcq
Aliases:
CVE-2025-22233
GHSA-4wp7-92pw-q264

Spring Framework DataBinder Case Sensitive Match Exception CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. | Affected version(s) | Fix Version | Availability | | - | - | - | | 6.2.x | 6.2.7 | OSS | | 6.1.x | 6.1.20 | OSS | | 6.0.x | 6.0.28 | Commercial https://enterprise.spring.io/ | | 5.3.x | 5.3.43 | Commercial https://enterprise.spring.io/ | No further mitigation steps are necessary. Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation. For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields. Credit This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

6.1.20
Affected by 0 other vulnerabilities.

6.2.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T04:57:49.109458+00:00	GHSA Importer	Affected by	VCID-w11m-ut2r-tbcq	https://github.com/advisories/GHSA-4wp7-92pw-q264	38.1.0
2026-04-01T16:06:42.556086+00:00	GHSA Importer	Affected by	VCID-pzz7-mfs4-rfda	https://github.com/advisories/GHSA-4gc7-5j7h-4qph	38.0.0

2026-04-07T04:57:49.109458+00:00

GHSA Importer

Affected by

VCID-w11m-ut2r-tbcq

https://github.com/advisories/GHSA-4wp7-92pw-q264

38.1.0

2026-04-01T16:06:42.556086+00:00

GHSA Importer

Affected by

VCID-pzz7-mfs4-rfda

https://github.com/advisories/GHSA-4gc7-5j7h-4qph

38.0.0

Next non-vulnerable version	6.1.14
Latest non-vulnerable version	6.2.7
Risk	3.1