Primary

Context

Spring Framework Server-Side Request Forgery Vulnerability in UriComponentsBuilder

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18. The issue arises from incorrect host parsing in the UriComponentsBuilder, allowing applications that use this component to validate externally provided URL strings to be exploited.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server to make requests on its behalf, potentially accessing internal resources or services.

Remediation

Users should upgrade to Spring Framework 7.0.8 or 6.2.19. For commercial users, the fixed versions are 7.0.7.1 and 6.2.18.1.

Added: Jun 9, 2026, 6:06 AM

Updated: Jun 9, 2026, 6:06 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.1

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.1

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Server-Side Request Forgery Vulnerability in UriComponentsBuilder

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating