Search for packages
| purl | pkg:maven/org.springframework/spring-webmvc@5.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7x5d-wtf5-3kau
Aliases: CVE-2024-38828 GHSA-w3c8-7r8f-9jp8 |
Spring MVC controller vulnerable to a DoS attack Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-85dj-ems3-vyh4
Aliases: CVE-2026-22735 GHSA-6hcq-hmm3-jj3c |
Spring MVC and WebFlux has Server Sent Event stream corruption Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-afh4-nhxq-y3he
Aliases: CVE-2023-20860 GHSA-7phw-cxx7-q9vq |
Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-cyjt-4vjn-mbc7
Aliases: CVE-2022-22965 GHSA-36p3-wjmg-h94x GMS-2022-558 GMS-2022-559 GMS-2022-560 GMS-2022-561 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux. |
Affected by 1 other vulnerability. |
|
VCID-dy4t-tm9m-rfex
Aliases: CVE-2022-22950 GHSA-558x-2xjg-6232 |
Allocation of Resources Without Limits or Throttling in Spring Framework In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a Denial of Service. |
Affected by 2 other vulnerabilities. |
|
VCID-gxnm-rk3x-zkdw
Aliases: CVE-2024-38816 GHSA-cx7f-g6mp-7hqm |
Path traversal vulnerability in functional web frameworks Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty |
Affected by 0 other vulnerabilities. |
|
VCID-n1vf-acj7-gkaf
Aliases: CVE-2025-41242 GHSA-r936-gwx5-v52f |
Spring Framework MVC Applications Path Traversal Vulnerability Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application. |
Affected by 0 other vulnerabilities. |
|
VCID-sh22-dem5-aqf3
Aliases: CVE-2026-22737 GHSA-4773-3jfm-qmx3 |
Spring Framework Improper Path Limitation with Script View Templates Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||