Critical severityNVD Advisory· Published Jan 2, 2020· Updated Aug 6, 2024
CVE-2016-1000027
CVE-2016-1000027
Description
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework through 5.3.16 allows RCE via untrusted Java deserialization in HttpInvoker endpoints; vendor considers untrusted data out of scope.
Vulnerability
Overview CVE-2016-1000027 is a remote code execution (RCE) vulnerability in Pivotal Spring Framework through version 5.3.16. The root cause lies in how the framework's HttpInvokerServiceExporter handles Java deserialization. The exporter deserializes remote invocation objects from incoming HTTP requests using Java's native serialization, similar to RMI. When an attacker can supply untrusted serialized data to such an endpoint, they can craft malicious objects that execute arbitrary code upon deserialization [2].
Exploitation
Context This issue is not new; a similar deserialization flaw in Spring's remoting was previously exploited and assigned CVE-2011-2894, which patched a specific proxy class vector. However, the broader pattern of trusting deserialized data remained. An attacker needs network access to a Spring-based service that exposes an HttpInvokerServiceExporter endpoint. Authentication may be required depending on the application's access controls, but many integrations, including those in commercial vendor products, have been confirmed as exploitable [2].
Impact and
Mitigation Successful exploitation grants the attacker arbitrary code execution on the server. The vendor's position is that untrusted deserialization is not an intended use case, and thus the behavior will not be changed because some users rely on deserialization of trusted data [1]. As a result, no official patch has been issued. The recommended mitigation is to avoid using HttpInvokerServiceExporter with untrusted inputs. In later versions (5.1+), the related SimpleHttpServerFactoryBean and support classes for Sun's HTTP server were deprecated, but no fix changes the fundamental deserialization path [4].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-webMaven | < 6.0.0 | 6.0.0 |
Affected products
27- Pivotal/Spring Frameworkdescription
- osv-coords26 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/geoserver-2.26pkg:apk/chainguard/geoserver-2.26-communitypkg:apk/chainguard/geoserver-2.26-dockerpkg:apk/chainguard/geoserver-2.27pkg:apk/chainguard/geoserver-2.27-communitypkg:apk/chainguard/geoserver-2.27-dockerpkg:apk/chainguard/geoserver-2.28pkg:apk/chainguard/geoserver-2.28-communitypkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-2.440pkg:apk/chainguard/jenkins-2.452pkg:apk/chainguard/jenkins-2.462pkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/chainguard/ontoppkg:apk/chainguard/ontop-fipspkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/org.springframework/spring-web
< 0+ 25 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.28.3-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 6.0.0
Patches
22b051b8b3217Deprecate support classes for Sun's JDK HTTP server
11 files changed · +18 −52
spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java+3 −2 modified@@ -33,7 +33,6 @@ import org.springframework.beans.factory.DisposableBean; import org.springframework.beans.factory.FactoryBean; import org.springframework.beans.factory.InitializingBean; -import org.springframework.lang.UsesSunHttpServer; /** * {@link org.springframework.beans.factory.FactoryBean} that creates a simple @@ -51,8 +50,10 @@ * @since 2.5.1 * @see #setPort * @see #setContexts + * @deprecated as of Spring Framework 5.1, in favor of embedded Tomcat/Jetty/Undertow */ -@UsesSunHttpServer +@Deprecated +@org.springframework.lang.UsesSunHttpServer public class SimpleHttpServerFactoryBean implements FactoryBean<HttpServer>, InitializingBean, DisposableBean { protected final Log logger = LogFactory.getLog(getClass());
spring-core/src/main/java/org/springframework/lang/UsesSunHttpServer.java+3 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,7 +28,9 @@ * * @author Stephane Nicoll * @since 4.1 + * @deprecated as of 5.1, along with Spring's Sun HTTP Server support classes */ +@Deprecated @Retention(RetentionPolicy.CLASS) @Target({ElementType.METHOD, ElementType.CONSTRUCTOR, ElementType.TYPE}) @Documented
spring-web/src/main/java/org/springframework/remoting/caucho/HessianExporter.java+0 −1 modified@@ -53,7 +53,6 @@ * @since 2.5.1 * @see #invoke(java.io.InputStream, java.io.OutputStream) * @see HessianServiceExporter - * @see SimpleHessianServiceExporter */ public class HessianExporter extends RemoteExporter implements InitializingBean {
spring-web/src/main/java/org/springframework/remoting/caucho/HessianServiceExporter.java+0 −3 modified@@ -29,9 +29,6 @@ * Servlet-API-based HTTP request handler that exports the specified service bean * as Hessian service endpoint, accessible via a Hessian proxy. * - * <p><b>Note:</b> Spring also provides an alternative version of this exporter, - * for Sun's JRE 1.6 HTTP server: {@link SimpleHessianServiceExporter}. - * * <p>Hessian is a slim, binary RPC protocol. * For information on Hessian, see the * <a href="http://www.caucho.com/hessian">Hessian website</a>.
spring-web/src/main/java/org/springframework/remoting/caucho/SimpleHessianServiceExporter.java+4 −4 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,7 +22,6 @@ import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; -import org.springframework.lang.UsesSunHttpServer; import org.springframework.util.FileCopyUtils; /** @@ -43,9 +42,10 @@ * @since 2.5.1 * @see org.springframework.remoting.caucho.HessianClientInterceptor * @see org.springframework.remoting.caucho.HessianProxyFactoryBean - * @see org.springframework.remoting.httpinvoker.SimpleHttpInvokerServiceExporter + * @deprecated as of Spring Framework 5.1, in favor of {@link HessianServiceExporter} */ -@UsesSunHttpServer +@Deprecated +@org.springframework.lang.UsesSunHttpServer public class SimpleHessianServiceExporter extends HessianExporter implements HttpHandler { /**
spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java+0 −3 modified@@ -36,9 +36,6 @@ * Servlet-API-based HTTP request handler that exports the specified service bean * as HTTP invoker service endpoint, accessible via an HTTP invoker proxy. * - * <p><b>Note:</b> Spring also provides an alternative version of this exporter, - * for Sun's JRE 1.6 HTTP server: {@link SimpleHttpInvokerServiceExporter}. - * * <p>Deserializes remote invocation objects and serializes remote invocation * result objects. Uses Java serialization just like RMI, but provides the * same ease of setup as Caucho's HTTP-based Hessian protocol.
spring-web/src/main/java/org/springframework/remoting/httpinvoker/SimpleHttpInvokerServiceExporter.java+4 −4 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; -import org.springframework.lang.UsesSunHttpServer; import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter; import org.springframework.remoting.support.RemoteInvocation; import org.springframework.remoting.support.RemoteInvocationResult; @@ -55,9 +54,10 @@ * @since 2.5.1 * @see org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor * @see org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean - * @see org.springframework.remoting.caucho.SimpleHessianServiceExporter + * @deprecated as of Spring Framework 5.1, in favor of {@link HttpInvokerServiceExporter} */ -@UsesSunHttpServer +@Deprecated +@org.springframework.lang.UsesSunHttpServer public class SimpleHttpInvokerServiceExporter extends RemoteInvocationSerializingExporter implements HttpHandler { /**
spring-web/src/main/java/org/springframework/remoting/jaxws/AbstractJaxWsServiceExporter.java+0 −1 modified@@ -48,7 +48,6 @@ * @see javax.jws.WebService * @see javax.xml.ws.Endpoint * @see SimpleJaxWsServiceExporter - * @see SimpleHttpServerJaxWsServiceExporter */ public abstract class AbstractJaxWsServiceExporter implements BeanFactoryAware, InitializingBean, DisposableBean {
spring-web/src/main/java/org/springframework/remoting/jaxws/SimpleHttpServerJaxWsServiceExporter.java+3 −2 modified@@ -30,7 +30,6 @@ import org.apache.commons.logging.LogFactory; import org.springframework.lang.Nullable; -import org.springframework.lang.UsesSunHttpServer; import org.springframework.util.Assert; /** @@ -49,8 +48,10 @@ * @see javax.jws.WebService * @see javax.xml.ws.Endpoint#publish(Object) * @see SimpleJaxWsServiceExporter + * @deprecated as of Spring Framework 5.1, in favor of {@link SimpleJaxWsServiceExporter} */ -@UsesSunHttpServer +@Deprecated +@org.springframework.lang.UsesSunHttpServer public class SimpleHttpServerJaxWsServiceExporter extends AbstractJaxWsServiceExporter { protected final Log logger = LogFactory.getLog(getClass());
spring-web/src/main/java/org/springframework/remoting/jaxws/SimpleJaxWsServiceExporter.java+1 −6 modified@@ -30,17 +30,12 @@ * * <p>Note that this exporter will only work if the JAX-WS runtime actually * supports publishing with an address argument, i.e. if the JAX-WS runtime - * ships an internal HTTP server. This is the case with the JAX-WS runtime - * that's included in Sun's JDK 6 but not with the standalone JAX-WS 2.1 RI. - * - * <p>For explicit configuration of JAX-WS endpoints with Sun's JDK 6 - * HTTP server, consider using {@link SimpleHttpServerJaxWsServiceExporter}! + * ships an internal HTTP server. * * @author Juergen Hoeller * @since 2.5 * @see javax.jws.WebService * @see javax.xml.ws.Endpoint#publish(String) - * @see SimpleHttpServerJaxWsServiceExporter */ public class SimpleJaxWsServiceExporter extends AbstractJaxWsServiceExporter {
src/docs/asciidoc/integration.adoc+0 −25 modified@@ -442,31 +442,6 @@ servlet name matching the bean name of the target exporter: </servlet-mapping> ---- -If you are running outside of a servlet container and are using Oracle's Java 6, then you -can use the built-in HTTP server implementation. You can configure the -`SimpleHttpServerFactoryBean` together with a `SimpleHttpInvokerServiceExporter` as is -shown in this example: - -[source,xml,indent=0] -[subs="verbatim,quotes"] ----- - <bean name="accountExporter" - class="org.springframework.remoting.httpinvoker.SimpleHttpInvokerServiceExporter"> - <property name="service" ref="accountService"/> - <property name="serviceInterface" value="example.AccountService"/> - </bean> - - <bean id="httpServer" - class="org.springframework.remoting.support.SimpleHttpServerFactoryBean"> - <property name="contexts"> - <util:map> - <entry key="/remoting/AccountService" value-ref="accountExporter"/> - </util:map> - </property> - <property name="port" value="8080"/> - </bean> ----- - [[remoting-httpinvoker-client]] ==== Linking in the service at the client
5cbe90b2cd91Explicit note on Java deserialization
2 files changed · +12 −2
spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerProxyFactoryBean.java+6 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2009 the original author or authors. + * Copyright 2002-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,6 +36,11 @@ * expense of being tied to Java. Nevertheless, it is as easy to set up as * Hessian and Burlap, which is its main advantage compared to RMI. * + * <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: + * Manipulated input streams could lead to unwanted code execution on the server + * during the deserialization step. As a consequence, do not expose HTTP invoker + * endpoints to untrusted clients but rather just between your own services.</b> + * * @author Juergen Hoeller * @since 1.1 * @see #setServiceInterface
spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java+6 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2010 the original author or authors. + * Copyright 2002-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,6 +47,11 @@ * expense of being tied to Java. Nevertheless, it is as easy to set up as * Hessian and Burlap, which is its main advantage compared to RMI. * + * <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: + * Manipulated input streams could lead to unwanted code execution on the server + * during the deserialization step. As a consequence, do not expose HTTP invoker + * endpoints to untrusted clients but rather just between your own services.</b> + * * @author Juergen Hoeller * @since 1.1 * @see HttpInvokerClientInterceptor
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-4wrc-f8pq-fpqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1000027ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60fghsaWEB
- github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfaghsaWEB
- github.com/spring-projects/spring-framework/issues/21680ghsaWEB
- github.com/spring-projects/spring-framework/issues/24434ghsaWEB
- github.com/spring-projects/spring-framework/issues/24434ghsaWEB
- github.com/spring-projects/spring-framework/issues/24434ghsaWEB
- github.com/spring-projects/spring-framework/issues/24434ghsaWEB
- github.com/spring-projects/spring-framework/issues/24434ghsaWEB
- jira.spring.io/browse/SPR-17143ghsaWEB
- security-tracker.debian.org/tracker/CVE-2016-1000027ghsaWEB
- security.netapp.com/advisory/ntap-20230420-0009ghsaWEB
- spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-nowghsaWEB
- support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027ghsaWEB
- www.tenable.com/security/research/tra-2016-20ghsaWEB
- raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.jsonmitre
- security.netapp.com/advisory/ntap-20230420-0009/mitre
News mentions
0No linked articles in our index yet.