Spring Boot
Moderate fix5 remedies
cpe:2.3:a:pivotal_software:spring_boot:*:*:*:*:*:*:*, +1 more
Moderate fix5 remedies
- >= 4.0.0, <= 4.0.5
- >= 3.5.0, <= 3.5.13
- >= 3.4.0, <= 3.4.15
- >= 3.3.0, <= 3.3.18
- >= 2.7.0, <= 2.7.32
Spring Boot Weak PRNG in Random Value Property Source Vulnerability
Vulnerability
Patched
A vulnerability exists in the random value property source of Spring Boot, specifically in versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32. This vulnerability arises because the random values generated are not suitable for use as secrets, with numeric values having a predictable range being particularly problematic. While ${random.uuid} is not affected, ${random.int} and ${random.long} should never be used for secrets due to their predictability.
Impact
The vulnerability could lead to the unintentional exposure of secrets, as the weak pseudo-random number generator (PRNG) used in the random value property source produces values that can be predicted.
Remediation
Users should upgrade to Spring Boot versions 4.0.6, 3.5.14, 3.4.16 (Enterprise Support Only), 3.3.19 (Enterprise Support Only), or 2.7.33 (Enterprise Support Only).
Added: Apr 28, 2026, 12:29 AM
Updated: Apr 28, 2026, 12:29 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
5.0exploitability
7.6remediation
7.7relevance
6.9threat
0.0urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.