VulnerableCode Package Details - pkg:maven/org.springframework/spring-context@6.1.19

Search for packages

Vulnerability	Summary	Fixed by
VCID-w11m-ut2r-tbcq Aliases: CVE-2025-22233 GHSA-4wp7-92pw-q264	Spring Framework DataBinder Case Sensitive Match Exception CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. \| Affected version(s) \| Fix Version \| Availability \| \| - \| - \| - \| \| 6.2.x \| 6.2.7 \| OSS \| \| 6.1.x \| 6.1.20 \| OSS \| \| 6.0.x \| 6.0.28 \| Commercial https://enterprise.spring.io/ \| \| 5.3.x \| 5.3.43 \| Commercial https://enterprise.spring.io/ \| No further mitigation steps are necessary. Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation. For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields. Credit This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.	6.1.20 Affected by 0 other vulnerabilities. 6.2.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-w11m-ut2r-tbcq
Aliases:
CVE-2025-22233
GHSA-4wp7-92pw-q264

Spring Framework DataBinder Case Sensitive Match Exception CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. | Affected version(s) | Fix Version | Availability | | - | - | - | | 6.2.x | 6.2.7 | OSS | | 6.1.x | 6.1.20 | OSS | | 6.0.x | 6.0.28 | Commercial https://enterprise.spring.io/ | | 5.3.x | 5.3.43 | Commercial https://enterprise.spring.io/ | No further mitigation steps are necessary. Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation. For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields. Credit This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

6.1.20
Affected by 0 other vulnerabilities.

6.2.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T04:57:49.077207+00:00	GHSA Importer	Affected by	VCID-w11m-ut2r-tbcq	https://github.com/advisories/GHSA-4wp7-92pw-q264	38.1.0

2026-04-07T04:57:49.077207+00:00

GHSA Importer

Affected by

VCID-w11m-ut2r-tbcq

https://github.com/advisories/GHSA-4wp7-92pw-q264

38.1.0

Next non-vulnerable version	6.1.20
Latest non-vulnerable version	6.2.7
Risk	1.4