Primary

Context

Spring Framework Stream Corruption Vulnerability in Server-Sent Events

Vulnerability

Patched

A vulnerability exists in Spring MVC and WebFlux applications that use Server-Sent Events (SSE) to stream data to clients. This issue leads to stream corruption, where an attacker can manipulate the data being sent, potentially disrupting the state or presenting false information to users. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.5, 6.2.0 through 6.2.16, 6.1.0 through 6.1.25, and 5.3.0 through 5.3.46. Older, unsupported versions are also vulnerable.

Impact

Exploitation of this vulnerability can corrupt the data stream sent to users, leading to potential misinformation or state disruption in the application.

Remediation

Users should upgrade to Spring Framework versions 7.0.6, 6.2.17, 6.1.26 (commercial), or 5.3.47 (commercial).

Added: Mar 20, 2026, 12:28 AM

Updated: Mar 20, 2026, 12:28 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.8

exploitability

4.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.8

exploitability

4.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Stream Corruption Vulnerability in Server-Sent Events

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating