Spring Security
Monthly
Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. No public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects no observed exploitation activity.
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.
Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. No public exploit identified at time of analysis, but the network-reachable, no-authentication CVSS profile (7.5 High) makes this a near-term patching priority for SAML-enabled deployments.
Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. No public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects no observed exploitation activity.
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.
Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. No public exploit identified at time of analysis, but the network-reachable, no-authentication CVSS profile (7.5 High) makes this a near-term patching priority for SAML-enabled deployments.