Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework/spring-messaging@4.3.16.RELEASE
purl pkg:maven/org.springframework/spring-messaging@4.3.16.RELEASE
Next non-vulnerable version 4.3.28.RELEASE
Latest non-vulnerable version 5.3.20
Risk 3.1
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-fbxq-3v82-yket
Aliases:
CVE-2018-1257
GHSA-rcpf-vj53-7h2m
Improper Input Validation Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
4.3.17.RELEASE
Affected by 1 other vulnerability.
5.0.6.RELEASE
Affected by 1 other vulnerability.
VCID-fra1-reqm-kfdb
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w
Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
4.3.28.RELEASE
Affected by 0 other vulnerabilities.
4.3.29.RELEASE
Affected by 0 other vulnerabilities.
5.0.18.RELEASE
Affected by 0 other vulnerabilities.
5.0.19.RELEASE
Affected by 0 other vulnerabilities.
5.1.17.RELEASE
Affected by 0 other vulnerabilities.
5.1.18.RELEASE
Affected by 0 other vulnerabilities.
5.2.8.RELEASE
Affected by 0 other vulnerabilities.
5.2.9.RELEASE
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-72ga-q9u7-sfav Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. CVE-2018-1275
GHSA-3rmv-2pg5-xvqj
VCID-haqr-jpvm-eqck Improper Control of Generation of Code ('Code Injection') Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. CVE-2018-1270
GHSA-p5hg-3xm3-gcjg

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-05T21:07:13.086272+00:00 GHSA Importer Fixing VCID-72ga-q9u7-sfav https://github.com/advisories/GHSA-3rmv-2pg5-xvqj 38.6.0
2026-06-05T21:07:12.310820+00:00 GHSA Importer Fixing VCID-haqr-jpvm-eqck https://github.com/advisories/GHSA-p5hg-3xm3-gcjg 38.6.0
2026-06-04T20:39:08.231823+00:00 GitLab Importer Affected by VCID-fra1-reqm-kfdb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-messaging/CVE-2020-5421.yml 38.6.0
2026-06-04T20:12:07.529857+00:00 GitLab Importer Affected by VCID-fbxq-3v82-yket https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-messaging/CVE-2018-1257.yml 38.6.0
2026-06-04T17:37:59.278431+00:00 GithubOSV Importer Fixing VCID-72ga-q9u7-sfav https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-3rmv-2pg5-xvqj/GHSA-3rmv-2pg5-xvqj.json 38.6.0
2026-06-04T17:37:51.146488+00:00 GithubOSV Importer Fixing VCID-haqr-jpvm-eqck https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-p5hg-3xm3-gcjg/GHSA-p5hg-3xm3-gcjg.json 38.6.0
2026-06-02T04:38:26.339305+00:00 GitLab Importer Fixing VCID-haqr-jpvm-eqck https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-messaging/CVE-2018-1270.yml 38.6.0