Spring HATEOAS
Moderate fix5 remedies
cpe:2.3:a:vmware:spring_hateoas:*:*:*:*:*:*:*
Moderate fix5 remedies
- >= 1.5.0, <= 1.5.6
- >= 2.3.0, <= 2.3.4
- >= 2.4.0, <= 2.4.1
- >= 2.5.0, <= 2.5.2
- >= 3.0.0, <= 3.0.3
Spring HATEOAS Property Binding Vulnerability in Collection+JSON and UBER Deserializers
Vulnerability
Patched
A vulnerability exists in Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. The issue arises in the internal PropertyUtils.createObjectFromProperties method, which is used by the Collection+JSON and UBER media type deserializers. This method performs bean property binding through reflection without considering Jackson access-control annotations. As a result, applications that have enabled the COLLECTION_JSON or UBER hypermedia type, expose a controller accepting a RepresentationModel subclass or EntityModel as @RequestBody, and whose bound model type has a setter for a security-sensitive property only protected by Jackson annotations, are vulnerable.
Impact
Exploitation of this vulnerability allows for improper binding of bean properties, potentially leading to unauthorized access or modification of security-sensitive properties.
Remediation
Users should upgrade to Spring HATEOAS versions 1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, depending on their current version.
Added: Jun 9, 2026, 6:39 AM
Updated: Jun 9, 2026, 6:39 AM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
0.6exploitability
4.7remediation
7.7relevance
9.3threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.