Spring Framework DoS via conditional HTTP request

GHSA-2rmj-mq67-h97g · CVE-2024-38809

Published Sep 24, 2024 · Modified Feb 4, 2026

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-38809
WEB https://github.com/spring-projects/spring-framework/issues/33372
WEB https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3
WEB https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533
WEB https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85
PACKAGE https://github.com/spring-projects/spring-framework
WEB https://spring.io/security/cve-2024-38809

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes