Primary

Context

VMware Spring Boot Timing Attack Vulnerability in DevTools Remote Secret Comparison Allowing Remote Code Execution

Vulnerability

Patched

A timing attack vulnerability has been identified in VMware Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32. This vulnerability allows an attacker on the same network as the remote application to exploit timing discrepancies to infer information about a remote secret. In severe cases, this could lead to the attacker determining the secret and uploading modified classes, thereby executing remote code in the application.

Impact

Exploitation of this vulnerability could result in unauthorized information disclosure followed by remote code execution on the affected application.

Remediation

Users should upgrade to Spring Boot 4.0.6, 3.5.14, 3.4.16 (Enterprise Support Only), 3.3.19 (Enterprise Support Only) or 2.7.33 (Enterprise Support Only).

Added: Apr 28, 2026, 12:32 AM

Updated: Apr 28, 2026, 12:32 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

7.5

exploitability

5.4

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

7.5

exploitability

5.4

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

VMware Spring Boot Timing Attack Vulnerability in DevTools Remote Secret Comparison Allowing Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating