Moderate severityNVD Advisory· Published Mar 10, 2015· Updated May 6, 2026

CVE-2015-0201

Description

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework:spring-coreMaven	>= 4.1.0, < 4.1.5	4.1.5

Affected products

Pivotal Software/Spring Framework
cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
VMware/Spring Framework4 versions
cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*

Patches

dc5b5ca8ee09

https://github.com/spring-projects/spring-frameworkvia ghsa

commit

d63cfc8eebc3

https://github.com/spring-projects/spring-frameworkvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-45vg-2v73-vm62ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-0201ghsaADVISORY
pivotal.io/security/cve-2015-0201nvdVendor AdvisoryWEB
github.com/spring-projects/spring-framework/commit/d63cfc8eebc396be009e733a81ebb4c984811f6eghsaWEB
github.com/spring-projects/spring-framework/commit/dc5b5ca8ee09c890352f89b2dae58bc0132d6545ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000