Vulnerable Library - spring-boot-devtools-3.3.5.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-devtools version) |
Remediation Possible** |
| CVE-2026-40972 |
 High |
7.5 |
spring-boot-devtools-3.3.5.jar |
Direct |
3.3.19 |
❌ |
| CVE-2025-41249 |
High |
7.5 |
spring-core-6.1.14.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-22235 |
High |
7.3 |
spring-boot-3.3.5.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40973 |
High |
7.0 |
spring-boot-3.3.5.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40974 |
 Medium |
5.0 |
spring-boot-autoconfigure-3.3.5.jar |
Transitive |
3.4.0 |
✅ |
| CVE-2026-40975 |
Medium |
4.8 |
spring-boot-3.3.5.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40977 |
Medium |
4.7 |
spring-boot-3.3.5.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-22233 |
 Low |
3.1 |
spring-context-6.1.14.jar |
Transitive |
3.3.12 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40972
Vulnerable Library - spring-boot-devtools-3.3.5.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- ❌ spring-boot-devtools-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 3.3.19
CVE-2025-41249
Vulnerable Library - spring-core-6.1.14.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- spring-boot-3.3.5.jar
- ❌ spring-core-6.1.14.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
CVE-2025-22235
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
CVE-2026-40973
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:3.5.14,https://github.com/spring-projects/spring-boot.git - v3.4.14
CVE-2026-40974
Vulnerable Library - spring-boot-autoconfigure-3.3.5.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.3.5/1efbbd46eeef054986796200313f4bb0d53a7268/spring-boot-autoconfigure-3.3.5.jar
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-autoconfigure-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 3.3.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-40975
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v3.4.14,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:3.5.14
CVE-2026-40977
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v3.4.14,org.springframework.boot:spring-boot:3.5.14
CVE-2025-22233
Vulnerable Library - spring-context-6.1.14.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.1.14/b3d96fb4310376a608465c3544b7cfb790293787/spring-context-6.1.14.jar
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- spring-boot-3.3.5.jar
- ❌ spring-context-6.1.14.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
- 6.2.0 - 6.2.6
- 6.1.0 - 6.1.19
- 6.0.0 - 6.0.27
- 5.3.0 - 5.3.42
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution (org.springframework:spring-context): 6.1.20
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.3.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-boot-devtools-3.3.5.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 3.3.19
Vulnerable Library - spring-core-6.1.14.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
You are not affected if any of the following is true:
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:3.5.14,https://github.com/spring-projects/spring-boot.git - v3.4.14
Vulnerable Library - spring-boot-autoconfigure-3.3.5.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.3.5/1efbbd46eeef054986796200313f4bb0d53a7268/spring-boot-autoconfigure-3.3.5.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 3.3.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v3.4.14,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:3.5.14
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v4.0.6,https://github.com/spring-projects/spring-boot.git - v3.5.14,org.springframework.boot:spring-boot:4.0.6,https://github.com/spring-projects/spring-boot.git - v3.3.14,https://github.com/spring-projects/spring-boot.git - v3.4.14,org.springframework.boot:spring-boot:3.5.14
Vulnerable Library - spring-context-6.1.14.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.1.14/b3d96fb4310376a608465c3544b7cfb790293787/spring-context-6.1.14.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution (org.springframework:spring-context): 6.1.20
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.3.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.