Spring Framework Multipart Request Smuggling Vulnerability in Web Applications

A vulnerability allowing multipart request smuggling has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability affects applications using Spring MVC or Spring WebFlux that accept multipart requests and are protected by a Web Application Firewall (WAF) or proxy capable of parsing multipart requests and performing content-based checks. Under these conditions, an attacker could craft malicious multipart requests that bypass WAF or proxy defenses.

Impact

Exploitation of this vulnerability could lead to successful multipart request smuggling, allowing attackers to manipulate how requests are processed by the server or an intermediary, potentially causing unexpected behavior or bypassing security controls.

Remediation

Users of affected versions should upgrade to the fixed version. The following upgrade options are available: - For Spring Framework 7.0.x, upgrade to 7.0.8 (OSS) or 7.0.7.1 (Commercial). - For Spring Framework 6.2.x, upgrade to 6.2.19 (OSS) or 6.2.18.1 (Commercial). - For Spring Framework 6.1.x, upgrade to 6.1.28 (Commercial). - For Spring Framework 5.3.x, upgrade to 5.3.49 (Commercial).