Spring
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Spring.
Recent Spring Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2025-05-27 | CVE-2025-41235 - High - CVE-2025-41235: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies | May 27, 2025 |
| 2025-05-19 | CVE-2025-41232 - Medium - CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods | May 19, 2025 |
| 2025-05-15 | CVE-2025-22233 - Low - CVE-2025-22233: Spring Framework DataBinder Case Sensitive Match Exception (2nd update) | May 15, 2025 |
| 2025-04-24 | CVE-2025-22235 - Medium - CVE-2025-22235: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed | April 24, 2025 |
| 2025-04-22 | CVE-2025-22234 - Medium - CVE-2025-22234: Spring Security BCryptPasswordEncoder maximum password length breaks timing attack mitigation | April 22, 2025 |
| 2025-04-07 | CVE-2025-22232 - Medium - CVE-2025-22232: Spring Cloud Config Server May Not Use Vault Token Sent By Clients | April 7, 2025 |
| 2025-03-19 | CVE-2025-22228 - High - CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length | March 19, 2025 |
| 2025-03-19 | CVE-2025-22223 - Medium - CVE-2025-22223: Spring Security authorization bypass for method security annotations on parameterized types | March 19, 2025 |
| 2024-11-19 | CVE-2024-38829 - Low - CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for case-sensitive comparisons | November 19, 2024 |
| 2024-11-19 | CVE-2024-38827 - Medium - CVE-2024-38827: Spring Security Authorization Bypass for Case Sensitive Comparisons | November 19, 2024 |
By the Year
In 2025 there have been 0 vulnerabilities in Spring. Spring did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 4.30 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Spring vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Spring Security Vulnerabilities
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values
CVE-2023-34047
4.3 - Medium
- September 20, 2023
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
