org.springframework.ws:spring-xml 5.0.1

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.ws:spring-xml package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection org.springframework.ws:spring-xml is a dependency of org.springframework.ws. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `Jaxp13XPathTemplate` class in `Jaxp13XPathTemplate.java`. When XPath expressions are evaluated against `StreamSource` and `SAXSource` inputs, the template parses the XML through `XPath.evaluate(String, InputSource, QName)`, which uses the JDK's default `DocumentBuilderFactory` and bypasses spring-xml's hardened parser configuration. As a result, external entity references in attacker-controlled XML are resolved during parsing. An attacker who can supply or influence the XML evaluated by an application can exploit XML External Entity (XXE) processing to read confidential local files or trigger server-side request forgery (SSRF) through external entities, depending on parser and platform behavior. Note: This is only exploitable if the application evaluates XPath over data controlled or influenced by remote users using the affected `StreamSource` or `SAXSource` types without an additional hardening layer. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework.ws:spring-xml` to version 4.1.4, 5.0.2 or higher.	[,4.1.4)[5.0.0-M1,5.0.2)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

org.springframework.ws:spring-xml is a dependency of org.springframework.ws.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the Jaxp13XPathTemplate class in Jaxp13XPathTemplate.java. When XPath expressions are evaluated against StreamSource and SAXSource inputs, the template parses the XML through XPath.evaluate(String, InputSource, QName), which uses the JDK's default DocumentBuilderFactory and bypasses spring-xml's hardened parser configuration. As a result, external entity references in attacker-controlled XML are resolved during parsing. An attacker who can supply or influence the XML evaluated by an application can exploit XML External Entity (XXE) processing to read confidential local files or trigger server-side request forgery (SSRF) through external entities, depending on parser and platform behavior.

Note:

This is only exploitable if the application evaluates XPath over data controlled or influenced by remote users using the affected StreamSource or SAXSource types without an additional hardening layer.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework.ws:spring-xml to version 4.1.4, 5.0.2 or higher.

[,4.1.4)[5.0.0-M1,5.0.2)

org.springframework.ws:spring-xml@5.0.1

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically