Moderate severityNVD Advisory· Published Oct 4, 2011· Updated Jun 16, 2026
CVE-2011-2894
CVE-2011-2894
Description
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 3.0.0, < 3.0.6 | 3.0.6 |
org.springframework.security:spring-security-coreMaven | >= 3.0.0, < 3.0.6 | 3.0.6 |
org.springframework.security:spring-security-coreMaven | >= 2.0.0, < 2.0.7 | 2.0.7 |
Affected products
4- ghsa-coords2 versionspkg:maven/org.springframework.security/spring-security-corepkg:maven/org.springframework/spring-core
>= 3.0.0, < 3.0.6+ 1 more
- (no CPE)range: >= 3.0.0, < 3.0.6
- (no CPE)range: >= 3.0.0, < 3.0.6
Patches
Vulnerability mechanics
References
11- securityreason.com/securityalert/8405nvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2011-1334.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/519593/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/49536nvdThird Party AdvisoryVDB EntryWEB
- www.springsource.com/security/cve-2011-2894nvdVendor AdvisoryWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/69687nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-f866-m9mv-2xr3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2894ghsaADVISORY
- osvdb.org/75263nvdBroken LinkWEB
- github.com/spring-projects/spring-framework/commit/070a723ef2c886770a063eb9a67f84f74e06edfbghsaWEB
- web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894nvdWEB
News mentions
0No linked articles in our index yet.