Open Redirect in spring-security-oauth2
Description
Spring Security OAuth's DefaultRedirectResolver allows an open redirect that leaks the authorization code to an attacker-controlled URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security OAuth's DefaultRedirectResolver allows an open redirect that leaks the authorization code to an attacker-controlled URI.
Vulnerability
Spring Security OAuth versions 2.3 prior to 2.3.5, 2.2 prior to 2.2.4, 2.1 prior to 2.1.4, 2.0 prior to 2.0.17, and older unsupported versions are susceptible to an open redirector attack in the authorization endpoint when using the DefaultRedirectResolver. The vulnerability allows a malicious user to craft a request with the authorization code grant type and a manipulated redirect_uri parameter, causing the authorization server to redirect the resource owner's user-agent to a URI controlled by the attacker, leaking the authorization code in the process [1][2][4].
Exploitation
An attacker must be able to craft a request to the authorization endpoint of an OAuth Authorization Server that uses @EnableAuthorizationServer and employs the DefaultRedirectResolver implementation. The attacker supplies a forged redirect_uri parameter that the resolver accepts as valid, which then causes the server to redirect the user-agent to the attacker's URI along with the authorization code. No prior authentication or special network position is required beyond being able to induce a resource owner to visit the crafted link or having the ability to send the request to the endpoint [1][2][4].
Impact
Successful exploitation leaks the authorization code to an attacker-controlled location. With the stolen authorization code, the attacker may be able to obtain an access token and impersonate the resource owner, leading to unauthorized access to protected resources. The impact is information disclosure (the authorization code) and subsequent potential for account takeover or data access, depending on the OAuth flow and scope [1][2][4].
Mitigation
Applications should upgrade to fixed versions: 2.3.5, 2.2.4, 2.1.4, or 2.0.17, depending on the version in use. The project is no longer under active maintenance and has been replaced by Spring Security's built-in OAuth2 support and Spring Authorization Server [3]. As a workaround, applications can implement a custom RedirectResolver instead of the vulnerable DefaultRedirectResolver. Patches were released in February 2019 [1][2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security.oauth:spring-security-oauthMaven | < 2.0.17.RELEASE | 2.0.17.RELEASE |
org.springframework.security.oauth:spring-security-oauth2Maven | < 2.0.17.RELEASE | 2.0.17.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.1.0.RELEASE, < 2.1.4.RELEASE | 2.1.4.RELEASE |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.1.0.RELEASE, < 2.1.4.RELEASE | 2.1.4.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.2.0.RELEASE, < 2.2.4.RELEASE | 2.2.4.RELEASE |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.2.0.RELEASE, < 2.2.4.RELEASE | 2.2.4.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.3.0.RELEASE, < 2.3.5.RELEASE | 2.3.5.RELEASE |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.3.0.RELEASE, < 2.3.5.RELEASE | 2.3.5.RELEASE |
Affected products
3- ghsa-coords2 versionspkg:maven/org.springframework.security.oauth/spring-security-oauthpkg:maven/org.springframework.security.oauth/spring-security-oauth2
< 2.0.17.RELEASE+ 1 more
- (no CPE)range: < 2.0.17.RELEASE
- (no CPE)range: < 2.0.17.RELEASE
- Range: 2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-77rv-6vfw-x4gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-3778ghsaADVISORY
- packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.htmlghsax_refsource_MISCWEB
- www.securityfocus.com/bid/107153mitrevdb-entryx_refsource_BID
- pivotal.io/security/cve-2019-3778ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227084837/http://www.securityfocus.com/bid/107153ghsaWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.