Spring Framework Vulnerabilities CVE-2022-22971 CVE-2018-11039 CVE-2018-11040 

Issue date: 21-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID


Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions





A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. The spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions are affected.


Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.


Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot. However when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

The problems have been recognized and patched.


Customers are recommended to upgrade to the latest version. As of the time of writing, 15.1.1, 14.7.9 or 13.4.19