Spring Framework has Authorization Bypass for Case Sensitive Comparisons

GHSA-q3v6-hm2v-pw99 · CVE-2024-38827

Published Dec 2, 2024 · Modified Feb 4, 2026

Description

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-38827
WEB https://github.com/spring-projects/spring-framework/issues/33708
WEB https://github.com/spring-projects/spring-framework/issues/34232
WEB https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
PACKAGE https://github.com/spring-projects/spring-security
WEB https://security.netapp.com/advisory/ntap-20250124-0007
WEB https://spring.io/security/cve-2024-38827

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes