Spring Untrusted Java Deserialization Vulnerability CVE-2016-1000027 

Issue date: 16-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID



Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions





Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

This is not a vulnerability in Spring itself, it is moslty about how applications use it. Pivotal Spring Framework doesn't have a plan to fix this. It is advised not use Java serialization for external endpoints, in particular not for unauthorized ones. 


Verify that project code follows the usage recommendations for the Spring library.