Homepage

org.springframework:spring-core@7.0.0-M3

  • latest version

    7.0.7

  • first published

    20 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.springframework:spring-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Allocation of Resources Without Limits or Throttling

    org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via caching of parsed Spring Expression Language (SpEL) expressions. An attacker can cause denial of service by supplying crafted user-controlled SpEL expressions that trigger unbounded growth of the expression cache. Over time, repeated evaluations can consume excessive memory, eventually leading to memory exhaustion and application unavailability.

    Note: Exploitation typically requires a large number of expression evaluations, potentially millions of requests, even when reusing a single expression with dynamic inputs.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.springframework:spring-core to version 6.0.0, 6.2.19, 7.0.8 or higher.

    [5.3.0,6.0.0)[6.1.0,6.2.19)[7.0.0-M1,7.0.8)
    • M
    Regular Expression Denial of Service (ReDoS)

    org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via pattern processing in AntPathMatcher. An attacker can cause denial of service by supplying a crafted regular expression pattern to methods such as match(), matchStart(), or extractUriTemplateVariables(), triggering excessive backtracking and CPU consumption during pattern evaluation.

    Note: This is only exploitable if attacker-controlled input is used directly or indirectly as the pattern argument to one of the affected AntPathMatcher methods.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade org.springframework:spring-core to version 6.0.0, 6.2.19, 7.0.8 or higher.

    [5.3.0,6.0.0)[6.1.0,6.2.19)[7.0.0-M1,7.0.8)
    • M
    Allocation of Resources Without Limits or Throttling

    org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denial of service by sending crafted requests that are slow to resolve when accessing file-system-backed static resources, causing HTTP connections to remain occupied and exhausting server resources.

    Note: This is only exploitable if all the following are true:

    1. The application uses Spring MVC or Spring WebFlux.

    2. Static resources are served from the file system.

    3. The application is running on Windows.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.springframework:spring-core to version 6.2.18, 7.0.7 or higher.

    [,6.2.18)[7.0.0-M1,7.0.7)
    Go back to all versions of this package