Forwarded header exploit with Spring HATEOAS on WebFlux

Vulnerability

CVE-2023-34036 affects reactive web applications built with Spring WebFlux and Spring HATEOAS. When generating hypermedia-based responses, Spring HATEOAS trusts (X-)Forwarded… headers submitted by clients. This trust allows an attacker to inject a malicious host, port, or scheme into those headers, which the framework then uses to construct links in the response body. The root cause is the lack of validation or discarding of forwarded headers at either the WebFlux or HTTP server level [1][2].

Exploitation

Exploitation requires two conditions: (1) the application uses the reactive WebFlux stack together with Spring HATEOAS to produce hypermedia links, and (2) the infrastructure does not strip or validate client-submitted (X-)Forwarded… headers before the request reaches the application. An attacker with network access to submit HTTP requests can send a request with a crafted X-Forwarded-Host or similar header. The application will then embed that attacker-controlled value into the hypermedia links it returns. No authentication is needed if the vulnerable link-generation endpoint is unauthenticated [1][2].

Impact

By manipulating forwarded headers, an attacker causes the application to emit links that point to a host or path controlled by the attacker. This can lead to open redirect scenarios or phishing attacks when users follow those links. The impact is limited to the trust boundary of the forwarded headers; an attacker cannot directly execute code or access sensitive data via this flaw alone, but the resulting link injection can be chained with other attacks [1][2].

Mitigation

The Spring team has patched the vulnerability in Spring HATEOAS versions 1.5.5, 2.0.5, and 2.1.1. Applications should upgrade to these or later releases. Alternatively, infrastructure-level controls—such as a reverse proxy or WebFlux filter—can be configured to discard or sanitize client-submitted forwarded headers before they reach the application [2].