CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41232 – CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods
https://notcve.org/view.php?id=CVE-2025-41232
21 May 2025 — Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if: * You are not using @EnableMethodSecurity(m... • http://spring.io/security/cve-2025-41232 • CWE-693: Protection Mechanism Failure •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22233 – Spring Framework DataBinder Case Sensitive Match Exception
https://notcve.org/view.php?id=CVE-2025-22233
16 May 2025 — CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected versi... • https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N&version=3.1 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22235 – Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
https://notcve.org/view.php?id=CVE-2025-22235
28 Apr 2025 — EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not af... • https://spring.io/security/cve-2025-22235 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22232 – Spring Cloud Config Server May Not Use Vault Token Sent By Clients
https://notcve.org/view.php?id=CVE-2025-22232
10 Apr 2025 — Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager implementation Life... • https://spring.io/security/cve-2025-22232 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-22223
https://notcve.org/view.php?id=CVE-2025-22223
24 Mar 2025 — Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an autho... • https://github.com/1ucky7/cve-2025-22223-demo-1.0.0 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22228 – CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
https://notcve.org/view.php?id=CVE-2025-22228
20 Mar 2025 — BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation. BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. • https://spring.io/security/cve-2025-22228 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 3.7EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38829 – Spring LDAP sensitive data exposure for case-sensitive comparisons
https://notcve.org/view.php?id=CVE-2024-38829
04 Dec 2024 — A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820 Una vulnerab... • https://spring.io/security/cve-2024-38829 • CWE-178: Improper Handling of Case Sensitivity •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 3CVE-2024-38828 – CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter
https://notcve.org/view.php?id=CVE-2024-38828
18 Nov 2024 — Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. • https://github.com/First-Roman/sprig-mvc-demo-patch • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.4EPSS: 10%CPEs: 2EXPL: 3CVE-2024-38821 – Authorization Bypass of Static Resources in WebFlux Applications
https://notcve.org/view.php?id=CVE-2024-38821
28 Oct 2024 — Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support • https://github.com/zetraxz/CVE-2024-38821 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.4EPSS: 92%CPEs: 2EXPL: 6CVE-2024-38816 – CVE-2024-38816: Path traversal vulnerability in functional web frameworks
https://notcve.org/view.php?id=CVE-2024-38816
13 Sep 2024 — Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a F... • https://github.com/masa42/CVE-2024-38816-PoC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •