org.springframework.boot:spring-boot 3.3.8

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.boot:spring-boot package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Symlink Attack Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID (PID) files. When an application uses the `ApplicationPidFileWriter`, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory can create a symbolic link (symlink) at that path. When the Spring Boot application starts, it follows this symlink and overwrites the target file with its PID. This allows the attacker to corrupt or "clobber" sensitive system files, potentially leading to a denial of service or system instability. How to fix Symlink Attack? Upgrade `org.springframework.boot:spring-boot` to version 3.5.14, 4.0.6 or higher.	[,3.5.14)[4.0.0-M1,4.0.6)
H Insecure Temporary File Affected versions of this package are vulnerable to Insecure Temporary File due to the `ApplicationTemp` mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory before the Spring Boot application starts. When the application launches, it would blindly use the existing directory without verifying if it is actually owned by the application's user or the attacker. How to fix Insecure Temporary File? Upgrade `org.springframework.boot:spring-boot` to version 3.5.14, 4.0.6 or higher.	[,3.5.14)[4.0.0-M1,4.0.6)
H Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) for the property source for `${random.value}` (as well as `${random.int}` and `${random.long}`). Standard PRNGs (like `java.util.Random`) use deterministic mathematical algorithms starting from a seed value. Because the state space is relatively small and lacks ongoing entropy (true randomness), an attacker who observes a sequence of generated values can mathematically reverse-engineer the seed. Once the seed is known, the attacker can predict all past and future values generated by that PRNG. If these values are used to generate security-sensitive assets like API keys, session tokens, or passwords, the system becomes compromised. How to fix Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)? Upgrade `org.springframework.boot:spring-boot` to version 3.5.14, 4.0.6 or higher.	[,3.5.14)[4.0.0-M1,4.0.6)

Vulnerability

Vulnerable Version

Symlink Attack

Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID (PID) files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory can create a symbolic link (symlink) at that path. When the Spring Boot application starts, it follows this symlink and overwrites the target file with its PID. This allows the attacker to corrupt or "clobber" sensitive system files, potentially leading to a denial of service or system instability.

How to fix Symlink Attack?

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

[,3.5.14)[4.0.0-M1,4.0.6)

Insecure Temporary File

Affected versions of this package are vulnerable to Insecure Temporary File due to the ApplicationTemp mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory before the Spring Boot application starts. When the application launches, it would blindly use the existing directory without verifying if it is actually owned by the application's user or the attacker.

How to fix Insecure Temporary File?

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

[,3.5.14)[4.0.0-M1,4.0.6)

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) for the property source for ${random.value} (as well as ${random.int} and ${random.long}). Standard PRNGs (like java.util.Random) use deterministic mathematical algorithms starting from a seed value. Because the state space is relatively small and lacks ongoing entropy (true randomness), an attacker who observes a sequence of generated values can mathematically reverse-engineer the seed. Once the seed is known, the attacker can predict all past and future values generated by that PRNG. If these values are used to generate security-sensitive assets like API keys, session tokens, or passwords, the system becomes compromised.

How to fix Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)?

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

[,3.5.14)[4.0.0-M1,4.0.6)

org.springframework.boot:spring-boot@3.3.8

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically