org.springframework:spring-web 6.2.1

Direct Vulnerabilities

Known vulnerabilities in the org.springframework:spring-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The vulnerability exists in the handling of Server-Sent Events (SSE) when streaming plain text data. An attacker can inject crafted data into the event stream, breaking message boundaries and corrupting the stream delivered to other clients. By controlling streamed content, an attacker can manipulate how subsequent events are parsed by the client, potentially altering application state or injecting misleading data. Note: This is only exploitable if the application streams attacker-controlled data via SSE using unstructured/plain-text messages instead of a structured format (e.g., JSON). How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `org.springframework:spring-web` to version 6.2.17, 7.0.6 or higher.	[,6.2.17)[7.0.0,7.0.6)
M HTTP Response Splitting org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to HTTP Response Splitting via the `Content-Disposition` header where the `filename` parameter value could contain non-printable characters, causing parsing issues for HTTP clients. An attacker can cause the download of files containing malicious commands by injecting content into the response. Notes: This is only exploitable if the header is prepared with `org.springframework.http.ContentDisposition`, the filename is set via `ContentDisposition.Builder#filename(String, Charset)`, the value is derived from unsanitized user input, and the attacker can inject malicious content into the downloaded response. The vulnerability was also fixed in the 6.0.29 commercial version. How to fix HTTP Response Splitting? Upgrade `org.springframework:spring-web` to version 6.1.21, 6.2.8 or higher.	[6.0.5,6.1.21)[6.2.0,6.2.8)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The vulnerability exists in the handling of Server-Sent Events (SSE) when streaming plain text data. An attacker can inject crafted data into the event stream, breaking message boundaries and corrupting the stream delivered to other clients. By controlling streamed content, an attacker can manipulate how subsequent events are parsed by the client, potentially altering application state or injecting misleading data.

Note:

This is only exploitable if the application streams attacker-controlled data via SSE using unstructured/plain-text messages instead of a structured format (e.g., JSON).

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade org.springframework:spring-web to version 6.2.17, 7.0.6 or higher.

[,6.2.17)[7.0.0,7.0.6)

HTTP Response Splitting

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to HTTP Response Splitting via the Content-Disposition header where the filename parameter value could contain non-printable characters, causing parsing issues for HTTP clients. An attacker can cause the download of files containing malicious commands by injecting content into the response.

Notes:

This is only exploitable if the header is prepared with org.springframework.http.ContentDisposition, the filename is set via ContentDisposition.Builder#filename(String, Charset), the value is derived from unsanitized user input, and the attacker can inject malicious content into the downloaded response.
The vulnerability was also fixed in the 6.0.29 commercial version.

How to fix HTTP Response Splitting?

Upgrade org.springframework:spring-web to version 6.1.21, 6.2.8 or higher.

[6.0.5,6.1.21)[6.2.0,6.2.8)

org.springframework:spring-web@6.2.1

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically