Spring Framework Path Traversal vulnerability

GHSA-g5vr-rgqm-vf78 · CVE-2024-38819

Published Dec 19, 2024 · Modified May 28, 2025

Description

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Packages

Maven/org.springframework:spring-webflux

Fix 6.1.14

Introduced 0, 6.0.0, 6.1.0

146 affected versions

5.0.0.RELEASE5.0.1.RELEASE5.0.10.RELEASE5.0.11.RELEASE5.0.12.RELEASE5.0.13.RELEASE5.0.14.RELEASE5.0.15.RELEASE5.0.16.RELEASE5.0.17.RELEASE5.0.18.RELEASE5.0.19.RELEASE5.0.2.RELEASE5.0.20.RELEASE5.0.3.RELEASE5.0.4.RELEASE5.0.5.RELEASE5.0.6.RELEASE5.0.7.RELEASE5.0.8.RELEASE +126 more

Maven/org.springframework:spring-webmvc

Fix 6.1.14

Introduced 0, 6.0.0, 6.1.0

288 affected versions

1.01.0-rc11.0.11.11.1-rc11.1-rc21.1.11.1.21.1.31.1.41.1.51.21.2-rc11.2-rc21.2.11.2.21.2.31.2.41.2.51.2.6 +268 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes