Spring Framework Denial-of-Service Vulnerability in MVC and WebFlux Applications

A denial-of-service vulnerability has been identified in Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7. This vulnerability affects applications using Spring MVC or Spring WebFlux that serve static resources from the file system and have versioned resources support enabled. Under these conditions, an attacker can exploit the vulnerability by sending malicious requests that are slow to process, keeping HTTP connections occupied and potentially causing a denial-of-service condition on the application.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive or slow due to prolonged HTTP connections, causing disruption to users and services.

Remediation

Users of affected versions should upgrade to the fixed version. The following upgrade paths are available: - For Spring Framework 7.0.x, upgrade to 7.0.8 (OSS) or 7.0.7.1 (Commercial). - For Spring Framework 6.2.x, upgrade to 6.2.19 (OSS) or 6.2.18.1 (Commercial). - For Spring Framework 6.1.x, upgrade to 6.1.28 (Commercial). - For Spring Framework 5.3.x, upgrade to 5.3.49 (Commercial).