CVE-2024-22233: Spring Framework server Web DoS Vulnerability
Description
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses Spring MVC
- Spring Security 6.1.6+ or 6.2.1+ is on the classpath
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted HTTP request can cause a denial-of-service (DoS) condition in Spring MVC applications when Spring Security 6.1.6+ or 6.2.1+ is present; fixed in Framework 6.0.16 and 6.1.3.
Vulnerability
Overview
CVE-2024-22233 is a denial-of-service (DoS) vulnerability affecting Spring Framework versions 6.0.15 and 6.1.2. An attacker can trigger the condition by sending specially crafted HTTP requests to an application that uses Spring MVC and has Spring Security 6.1.6+ or 6.2.1+ on the classpath. The issue was identified and responsibly reported by a group of security researchers, including Aleksander Blomskøld and LiveOverflow, as noted in the Spring advisory [2].
Exploitation
Conditions
The vulnerability only manifests when all prerequisites are met: the application must use Spring MVC, and Spring Security version 6.1.6+ or 6.2.1+ must be present. In typical Spring Boot applications, this translates to having both the spring-boot-starter-web and spring-boot-starter-security dependencies. The attack vector is network-based, requires no authentication, and has low complexity, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [2].
Impact
A successful exploit results in a denial-of-service (DoS) condition, making the application unresponsive. There is no impact on confidentiality or integrity; the sole consequence is a temporary or prolonged service disruption. The advisory does not indicate any known exploitation in the wild at the time of publication, but the high availability impact warrants prompt patching.
Mitigation
The Spring team has released fixes: Spring Framework 6.0.15 users should upgrade to 6.0.16, and 6.1.2 users should upgrade to 6.1.3. No workarounds are described beyond applying the updated versions. Affected products are only the specified Framework versions; older releases are not impacted [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 6.1.2, < 6.1.3 | 6.1.3 |
org.springframework:spring-coreMaven | >= 6.0.15, < 6.0.16 | 6.0.16 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/org.springframework/spring-core
< 2.442-r0+ 6 more
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: >= 6.1.2, < 6.1.3
- Spring/Spring Frameworkv5Range: 6.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.