Primary

Context

Spring Framework Security Filter Bypass in WebFlux Kotlin Router DSL

Vulnerability

Patched

A security bypass vulnerability has been identified in Spring WebFlux applications that use the Kotlin Router DSL. This issue affects Spring Framework versions 5.3.0 through 5.3.48, including versions no longer supported. The vulnerability arises when an application applies a filter that modifies the 'ServerRequest' before passing it to the next handler. In such cases, any security enhancements made to the request by the filter are ignored, and the original request is sent to the handler, undermining the intended security measures.

Impact

Exploitation of this vulnerability allows for security filters to be bypassed, potentially leading to unauthorized access or actions within the application.

Remediation

Users should upgrade to Spring Framework version 5.3.49. This version is available through the Spring Commercial subscription.

Added: Jun 9, 2026, 6:16 AM

Updated: Jun 9, 2026, 6:16 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

4.7

remediation

7.7

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

4.7

remediation

7.7

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Security Filter Bypass in WebFlux Kotlin Router DSL

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating