VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 25, 2018· Updated Sep 17, 2024

CVE-2018-11040

CVE-2018-11040

Description

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring Framework allows unintended cross-domain requests via JSONP when MappingJackson2JsonView is configured, leading to potential data exposure.

Vulnerability

CVE-2018-11040 affects Spring Framework versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18, as well as older unsupported versions. The vulnerability originates in MappingJackson2JsonView which, when configured in an application, automatically enables JSONP (JSON with Padding) support via the jsonp and callback parameters. This can be exploited to perform cross-domain requests, bypassing same-origin policy restrictions [1][2][4].

Exploitation

An attacker can craft a malicious URL that includes the jsonp or callback parameter pointing to a victim's application that uses MappingJackson2JsonView. By luring a victim to click on this link or embedding it in a script tag, the attacker can trigger a cross-domain request that reads sensitive data from the target application. No prior authentication is required if the endpoint is accessible, but user interaction (e.g., clicking a link) is typically needed to execute the attack [3][4].

Impact

Successful exploitation allows an attacker to bypass the same-origin policy and read sensitive JSON data from the affected application. This constitutes unauthorized information disclosure, potentially exposing user-specific or application-internal data to third-party domains [2][4].

Mitigation

Upgrade to Spring Framework 5.0.7 or 4.3.18 (or later) where JSONP support is deprecated and disabled by default. As an alternative, use CORS (Cross-Origin Resource Sharing) for legitimate cross-domain requests. No workaround is available for older unsupported versions other than upgrading or removing JSONP configuration [1][2][4].

References
  1. Deprecate JSONP and disable it by default in Jackson view · spring-projects/spring-framework@b80c13b
  2. Deprecate JSONP and disable it by default in Jackson view · spring-projects/spring-framework@8748594
  3. NVD - CVE-2018-11040
  4. CVE-2018-11040 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-coreMaven
>= 5.0.0.RELEASE, < 5.0.7.RELEASE5.0.7.RELEASE
org.springframework:spring-coreMaven
>= 4.3.0.RELEASE, < 4.3.18.RELEASE4.3.18.RELEASE

Affected products

2

Patches

2
b80c13b722bb

Deprecate JSONP and disable it by default in Jackson view

https://github.com/spring-projects/spring-frameworkSebastien DeleuzeJun 8, 2018via ghsa
commit
11 files changed · +62 15
  • spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java+4 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,7 +45,10 @@
  *
  * @author Rossen Stoyanchev
  * @since 4.1
+ * @deprecated Will be removed as of Spring Framework 5.1, use
+ * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
  */
+@Deprecated
 public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
 
 	/**
  • spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java+14 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -59,6 +59,7 @@
  * @author Sebastien Deleuze
  * @since 3.1.2
  */
+@SuppressWarnings("deprecation")
 public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
@@ -69,7 +70,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
 	 * Default content type for JSONP: "application/javascript".
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
 
 	/**
@@ -87,7 +91,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 	private boolean extractValueFromSingleKeyModel = false;
 
 	@Nullable
-	private Set<String> jsonpParameterNames = new LinkedHashSet<>(Arrays.asList("jsonp", "callback"));
+	private Set<String> jsonpParameterNames = new LinkedHashSet<>();
 
 
 	/**
@@ -170,10 +174,14 @@ public void setExtractValueFromSingleKeyModel(boolean extractValueFromSingleKeyM
 	 * Set JSONP request parameter names. Each time a request has one of those
 	 * parameters, the resulting JSON will be wrapped into a function named as
 	 * specified by the JSONP request parameter value.
-	 * <p>The parameter names configured by default are "jsonp" and "callback".
+	 * <p>As of Spring Framework 5.0.7, there is no parameter name configured
+	 * by default.
 	 * @since 4.1
 	 * @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a>
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpParameterNames(Set<String> jsonpParameterNames) {
 		this.jsonpParameterNames = jsonpParameterNames;
 	}
@@ -204,7 +212,10 @@ private String getJsonpParameterValue(HttpServletRequest request) {
 	 * Invalid parameter values are ignored.
 	 * @param value the query param value, never {@code null}
 	 * @since 4.1.8
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	protected boolean isValidJsonpQueryParam(String value) {
 		return CALLBACK_PARAM_PATTERN.matcher(value).matches();
 	}
  • spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java+12 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,11 @@
 package org.springframework.web.servlet.view.json;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -324,11 +326,19 @@ public void renderSimpleBeanWithFilters() throws Exception {
 
 	@Test
 	public void renderWithJsonp() throws Exception {
+		testJsonp("jsonp", "callback", false);
+		testJsonp("jsonp", "_callback", false);
+		testJsonp("jsonp", "_Call.bAcK", false);
+		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false);
+		testJsonp("jsonp", "<script>", false);
+		testJsonp("jsonp", "!foo!bar", false);
+
+		this.view.setJsonpParameterNames(new LinkedHashSet<>(Arrays.asList("jsonp")));
+
 		testJsonp("jsonp", "callback", true);
 		testJsonp("jsonp", "_callback", true);
 		testJsonp("jsonp", "_Call.bAcK", true);
 		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
-
 		testJsonp("jsonp", "<script>", false);
 		testJsonp("jsonp", "!foo!bar", false);
 	}
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java+2 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,6 +79,7 @@ public DefaultSockJsService(TaskScheduler scheduler, Collection<TransportHandler
 	}
 
 
+	@SuppressWarnings("deprecation")
 	private static Set<TransportHandler> getDefaultTransportHandlers(@Nullable Collection<TransportHandler> overrides) {
 		Set<TransportHandler> result = new LinkedHashSet<>(8);
 		result.add(new XhrPollingTransportHandler());
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,9 @@
  *
  * @author Rossen Stoyanchev
  * @since 4.0
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler {
 
 	@Override
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,7 +38,9 @@
  * A {@link TransportHandler} that receives messages over HTTP.
  *
  * @author Rossen Stoyanchev
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler {
 
 	private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter();
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java+5 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@
 /**
  * SockJS transport types.
  *
+ * <p>JSONP support will be removed as of Spring Framework 5.1, use others transports instead.
+ *
  * @author Rossen Stoyanchev
  * @author Sebastien Deleuze
  * @since 4.0
@@ -40,8 +42,10 @@ public enum TransportType {
 
 	XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"),
 
 	XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
  • spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,6 +91,7 @@ public void setPrefixJson(boolean prefixJson) {
 
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
 		if (this.jsonPrefix != null) {
 			generator.writeRaw(this.jsonPrefix);
@@ -104,6 +105,7 @@ protected void writePrefix(JsonGenerator generator, Object object) throws IOExce
 	}
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writeSuffix(JsonGenerator generator, Object object) throws IOException {
 		String jsonpFunction =
 				(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);
  • spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java+7 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -115,14 +115,20 @@ public FilterProvider getFilters() {
 
 	/**
 	 * Set the name of the JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpFunction(@Nullable String functionName) {
 		this.jsonpFunction = functionName;
 	}
 
 	/**
 	 * Return the configured JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	@Nullable
 	public String getJsonpFunction() {
 		return this.jsonpFunction;
  • src/docs/asciidoc/web/webmvc.adoc+5 0 modified
    @@ -2670,6 +2670,11 @@ For controllers relying on view resolution, JSONP is automatically enabled when
 request has a query parameter named `jsonp` or `callback`. Those names can be
 customized through `jsonpParameterNames` property.
 
+[NOTE]
+====
+As of Spring Framework 5.0.7, JSONP support is deprecated and will be removed as of
+Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
+====
 
 
 [[mvc-ann-modelattrib-methods]]
  • src/docs/asciidoc/web/webmvc-view.adoc+4 3 modified
    @@ -2030,9 +2030,10 @@ annotations. When further control is needed, a custom `ObjectMapper` can be inje
 through the `ObjectMapper` property for cases where custom JSON
 serializers/deserializers need to be provided for specific types.
 
-http://en.wikipedia.org/wiki/JSONP[JSONP] is supported and automatically enabled when
-the request has a query parameter named `jsonp` or `callback`. The JSONP query parameter
-name(s) could be customized through the `jsonpParameterNames` property.
+As of Spring Framework 5.0.7, http://en.wikipedia.org/wiki/JSONP[JSONP] support is
+deprecated and requires to customize the JSONP query parameter
+name(s) through the `jsonpParameterNames` property. This support will be removed as of
+Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
874859493bbd

Deprecate JSONP and disable it by default in Jackson view

https://github.com/spring-projects/spring-frameworkSebastien DeleuzeJun 8, 2018via ghsa
commit
11 files changed · +61 15
  • spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java+4 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,7 +45,10 @@
  *
  * @author Rossen Stoyanchev
  * @since 4.1
+ * @deprecated Will be removed as of Spring Framework 5.1, use
+ * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
  */
+@Deprecated
 public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
 
 	/**
  • spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java+12 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
 package org.springframework.web.servlet.view.json;
 
 import java.io.IOException;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashSet;
@@ -58,6 +57,7 @@
  * @author Sebastien Deleuze
  * @since 3.1.2
  */
+@SuppressWarnings("deprecation")
 public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
@@ -68,7 +68,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
 	 * Default content type for JSONP: "application/javascript".
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
 	 */
+	@Deprecated
 	public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
 
 	/**
@@ -83,7 +86,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	private boolean extractValueFromSingleKeyModel = false;
 
-	private Set<String> jsonpParameterNames = new LinkedHashSet<String>(Arrays.asList("jsonp", "callback"));
+	private Set<String> jsonpParameterNames = new LinkedHashSet<String>();
 
 
 	/**
@@ -168,7 +171,10 @@ public void setExtractValueFromSingleKeyModel(boolean extractValueFromSingleKeyM
 	 * <p>The parameter names configured by default are "jsonp" and "callback".
 	 * @since 4.1
 	 * @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a>
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpParameterNames(Set<String> jsonpParameterNames) {
 		this.jsonpParameterNames = jsonpParameterNames;
 	}
@@ -198,7 +204,10 @@ private String getJsonpParameterValue(HttpServletRequest request) {
 	 * Invalid parameter values are ignored.
 	 * @param value the query param value, never {@code null}
 	 * @since 4.1.8
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
 	 */
+	@Deprecated
 	protected boolean isValidJsonpQueryParam(String value) {
 		return CALLBACK_PARAM_PATTERN.matcher(value).matches();
 	}
  • spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java+12 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,11 @@
 package org.springframework.web.servlet.view.json;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -324,11 +326,19 @@ public void renderSimpleBeanWithFilters() throws Exception {
 
 	@Test
 	public void renderWithJsonp() throws Exception {
+		testJsonp("jsonp", "callback", false);
+		testJsonp("jsonp", "_callback", false);
+		testJsonp("jsonp", "_Call.bAcK", false);
+		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false);
+		testJsonp("jsonp", "<script>", false);
+		testJsonp("jsonp", "!foo!bar", false);
+
+		this.view.setJsonpParameterNames(new LinkedHashSet<String>(Arrays.asList("jsonp")));
+
 		testJsonp("jsonp", "callback", true);
 		testJsonp("jsonp", "_callback", true);
 		testJsonp("jsonp", "_Call.bAcK", true);
 		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
-
 		testJsonp("jsonp", "<script>", false);
 		testJsonp("jsonp", "!foo!bar", false);
 	}
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java+2 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -78,6 +78,7 @@ public DefaultSockJsService(TaskScheduler scheduler, Collection<TransportHandler
 	}
 
 
+	@SuppressWarnings("deprecation")
 	private static Set<TransportHandler> getDefaultTransportHandlers(Collection<TransportHandler> overrides) {
 		Set<TransportHandler> result = new LinkedHashSet<TransportHandler>(8);
 		result.add(new XhrPollingTransportHandler());
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,7 +40,9 @@
  *
  * @author Rossen Stoyanchev
  * @since 4.0
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler {
 
 	@Override
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,9 @@
  * A {@link TransportHandler} that receives messages over HTTP.
  *
  * @author Rossen Stoyanchev
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler {
 
 	private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter();
  • spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java+5 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,8 @@
 /**
  * SockJS transport types.
  *
+ * <p>JSONP support will be removed as of Spring Framework 5.1, use others transports instead.
+ *
  * @author Rossen Stoyanchev
  * @author Sebastien Deleuze
  * @since 4.0
@@ -39,8 +41,10 @@ public enum TransportType {
 
 	XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"),
 
 	XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
  • spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java+3 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -88,6 +88,7 @@ public void setPrefixJson(boolean prefixJson) {
 
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
 		if (this.jsonPrefix != null) {
 			generator.writeRaw(this.jsonPrefix);
@@ -101,6 +102,7 @@ protected void writePrefix(JsonGenerator generator, Object object) throws IOExce
 	}
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writeSuffix(JsonGenerator generator, Object object) throws IOException {
 		String jsonpFunction =
 				(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);
  • spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java+7 1 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -108,14 +108,20 @@ public FilterProvider getFilters() {
 
 	/**
 	 * Set the name of the JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpFunction(String functionName) {
 		this.jsonpFunction = functionName;
 	}
 
 	/**
 	 * Return the configured JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/4.3.x/spring-framework-reference/html/cors.html">CORS</a> instead.
 	 */
+	@Deprecated
 	public String getJsonpFunction() {
 		return this.jsonpFunction;
 	}
  • src/asciidoc/web-mvc.adoc+6 0 modified
    @@ -2291,6 +2291,12 @@ For controllers relying on view resolution, JSONP is automatically enabled when
 request has a query parameter named `jsonp` or `callback`. Those names can be
 customized through `jsonpParameterNames` property.
 
+[NOTE]
+====
+As of Spring Framework 4.3.18, JSONP support is deprecated and will be removed as of
+Spring Framework 5.1, <<cors,CORS>> should be used instead.
+====
+
 
 [[mvc-ann-async]]
 === Asynchronous Request Processing
  • src/asciidoc/web-view.adoc+4 3 modified
    @@ -2683,9 +2683,10 @@ annotations. When further control is needed, a custom `ObjectMapper` can be inje
 through the `ObjectMapper` property for cases where custom JSON
 serializers/deserializers need to be provided for specific types.
 
-http://en.wikipedia.org/wiki/JSONP[JSONP] is supported and automatically enabled when
-the request has a query parameter named `jsonp` or `callback`. The JSONP query parameter
-name(s) could be customized through the `jsonpParameterNames` property.
+As of Spring Framework 4.3.18, http://en.wikipedia.org/wiki/JSONP[JSONP] support is
+deprecated and requires to customize the JSONP query parameter
+name(s) through the `jsonpParameterNames` property. This support will be removed as of
+Spring Framework 5.1, <<cors,CORS>> should be used instead.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.